WHAT WE DO  
  CLOUD CONSULTING AWS & Azure Constalting, Migrations, Strategy   CLOUD ADOPTION Architecture, Design, Migrations, Cost Optimization   Cloud Professional Services Engineering, DevOps & Automation, Disaster Recovery   Cloud Operations Support 27x7x365 Cloud Support, Continuity, Patching   Productivity Suite Integration Microsoft 365, G-Suite, Zero Trust Security   Managed IT Services Managed Infrastructure, Business Continuity
WHO WE ARE  
About Stepinlogic About Stepinlogic Why Stepinlogic Why Stepinlogic AWS Partnership AWS Partnership Microsoft Partnership Microsoft Partnership Our Story Careers
INSIGHT  
Latest Blog Posts   Latest Help Articles  
CONTACT US

How to Configure a Site to Site VPN Between a SonicWall Firewall and Microsoft Azure

Azure Poit to Site Vpn Image

How to Configure a Site to Site (S2S) VPN Between a SonicWall Firewall and Microsoft Azure | Step by Step Guide

This article covers how to configure a Site to Site VPN between a SonicWall firewall and Microsoft Azure.

Requirements

For setting up Site to Site VPN, you need the followings: 
• Azure valid subscription
• SonicWall hardware.
• Valid Public IP Address at the on-premises side.

In my lab, I am going to use SonicWall TZ 205 with SonicOS Enhanced 5.9.1.13 firmware. You can use any other model SonicWall or any NSA series of the SonicOS.

The following networks will be used for demonstration purposes during this article. Your networks may be different.

Azure Side Resources

  1. Gateway subnet: 10.10.0.0/24
  2. LAN subnet: 10.10.1.0/24
  3. Public IP: 23.96.38.2

SonicWall Side Resources

  1. LAN subnet: 50.50.50.0/24
  2. Public IP: 68.196.38.124

Let’s get started

Azure Configuration

  1. Log in to the Azure portal
  2. Navigate to Virtual Networks and click Add to create a new network scheme. You can also search by click New and search Virtual Network.
  3. In this scenario, we’ve defined the following network. Once filled out click Create.
    Name: SL-VNET
    Address space: 10.10.0.0/16
    Subnet name: SL-VLAN
    Subnet address range: 10.10.1.0/24

Configure-a-Site-to-Site-VPN

4. Next, we’ll define the gateway network inside of the virtual network we just created. In our case, the virtual network is called “SL-VNET”. Click back into SL-VNET, select Subnets | Gateway Subnet. Define the gateway subnet (in our case 10.10.0.0/24) and click Create.

The virtual network gateway uses a specific subnet called the Gateway Subnet. The Gateway Subnet is part of the virtual network IP address range that you specify when configuring your virtual network. It contains the IP addresses that the virtual network gateway resources and services use. The subnet must be named ‘GatewaySubnet’ in order for Azure to deploy the gateway resources. You can’t specify a different subnet to deploy the gateway resources to. If you don’t have a subnet named ‘GatewaySubnet’, when you create your VPN gateway, it will fail. 

Note: Gateway Subnet is used only for communication between other subnets. You should never deploy additional resources to the Gateway Subnet. 

Configure-a-Site-to-Site-VPN

Configure-a-Site-to-Site-VPN

5. Next, we’ll create a virtual network gateway. Click on “All Services” and search for “Virtual network gateways“.  (You can highlight “star” to pin in the left Menu)

Configure-a-Site-to-Site-VPN

6. Create a new virtual network gateway. Give the gateway a name and define the VPN type. We’ll select gateway type VPN and VPN type Route-based. Choose  SKU type. Select the virtual network (in our case SL-VNET) and create a new public IP address.  We’ll use this public IP address later on while configuring the VPN on the SonicWall.  Click Create.

VPN Gateway throughput and connection limit capabilities are defined by the VPN SKU type. We deploy VPN SKU VpnGW1 as the default SKU. More information on VPN SKUs can be found in the screenshot below. 

Configure-a-Site-to-Site-VPN

Note: Provisioning a virtual network gateway may take up to 45 minutes.

Configure-a-Site-to-Site-VPN

7. Click on the newly created virtual network gateway. Select Connections | Add.

Configure-a-Site-to-Site-VPN

8. Give the connection a name. Under connection type select Site-to-site (IPsec). Create a new local network gateway. This will be the public IP of the SonicWall and the local network. In our case, the local network of the SonicWall is the default SonicWall subnet 50.50.50.0/24.

Configure-a-Site-to-Site-VPN

9. Provide a secure shared key. This will also be used on the SonicWall. Click OK.

Configure-a-Site-to-Site-VPN

We created a connection. You can see that the status of the connection is showing as “Connecting” because we have not yet configured the VPN connection on the SonicWall side.

10. We’ll grab the public IP of Azure and use it in the SonicWall. Navigate to “All Services” and search for Public IP addresses. Take a note of the public IP for the next steps.

Configure-a-Site-to-Site-VPN

Configure-a-Site-to-Site-VPN

SonicWall Configuration

Creating an Address Object for the virtual network

  1. Navigate to the Network > Address Objects.
  2. Click Add to create a new Address Object.

Enter the following information:
Name – Enter a name for the Address Object (SL-AzureNetwork is used in this example)
Zone Assignment – Click the drop-down, and then select VPN.
Type – Click the drop-down, and then select Network.
Network – Enter the network IP address as shown in the SL-VNET.
Netmask/Prefix Length – Enter the netmask. (in our case 255.255.0.0).
Click Add.

Configure-a-Site-to-Site-VPN

Creating a SonicWall VPN Connection

  1. Navigate to the VPN tab. We’re using the SonicOS 5.9.1.13 firmware. Click Settings. Click Add to create a new VPN policy.
  2. Give the VPN policy a name. We’ll use the following settings:
    Policy Type: Tunnel Interface
    Authentication Method: IKE using Preshared Secret
    Next, click the Proposals tab.

3. Under Proposals select:
IKE (Phase 1) Proposal: Exchange – IKEv2 Mode, Group – 2, Encryption – AES-256, Authentication – SHA1, Life Time – 28800.
IKE (Phase 2) Proposal: Protocol – ESP, Encryption – 3DES, Authentication – SHA1, Life Time – 27000.

4. Select the Advanced tab. Select Enable Keep Alive. Deselect Enable Windows Networking. Select Do not send trigger packet during IKE SA negotiation.

5. Next, navigate to Network | Routing. Select Route Policies and create a new policy. Set the destination for the Azure network and select the Azure interface.

Test the connectivity from SonicWall

It takes 5-7 minutes for the VPN policy to come up. Once the VPN policy is up we see a green indicator.

The SonicWALL firewall automatically initiates the VPN connection and keeps it alive when Keep Alive is enabled.

Sonicwall VPN Connection

Test the connectivity from Azure

Go to the Azure Management Portal, and navigate to Virtual Networks Gateway.
Click the Connections and go to its Dashboard.
You can see the connection status changed from “Connecting” to “Connected“.

VPN Connection

We have successfully configured Azure Site to Site VPN with SonicWall hardware Firewall.
Now you can create Virtual Machines in Azure and can access Azure VMs from your Network.

For additional help you can always reach out to us and order our cloud operations support services.

In the next lab, I will show you how you can configure Point to Site VPN with Azure.

Need Help? Contact Us

STEPINLOGIC | 292 262 6652

Stepinlogic.com

Full-service IT provider for Growing Companies in NY & NJ

Share Article
Share on facebook
Share on twitter
Share on linkedin
Latest Articles