Connecting a local FortiGate to an Azure FortiGate via site-to-site VPN
This guide provides a sample configuration of a site-to-site VPN connection from a local FortiGate to an Azure FortiGate via site-to-site IPsec VPN with static routing.
The following shows the topology for this sample configuration:
This topology consists of the following:
- A local FortiGate is located in a local environment. Determine if your FortiGate has a publicly accessible IP address or if it is behind NAT. In this sample configuration, the local FortiGate is behind NAT.
- A FortiGate located in Azure with port1 connected to WAN and port2 connected to local LAN.
This recipe consists of the following steps:
- Configure the local FortiGate:
- Configure the interfaces.
- Configure a static route to connect to the Internet.
- Configure IPsec VPN.
- Configure the Azure FortiGate:
- Configure the interface.
- Configure IPsec VPN.
- Bring up the VPN tunnel on the local FortiGate.
- Verify the VPN tunnel on both the local FortiGate and the Azure FortiGate.
- Run diagnose commands.
Configuring the local FortiGate
To configure the interfaces:
To configure the interfaces using the GUI, do the following:
- In FortiOS on the local FortiGate, go to Network > Interfaces.
- Edit port5. Set the role to WAN and set an IP/Network Mask of 192.168.5.1/255.255.255.0. This is for the interface connected to the Internet.
- Edit port4. Set the role to LAN and set an IP/Network Mask of 172.16.200.1/255.255.255.0. This is for the interface connected to the local subnet.
To configure the interfaces using the CLI, run the following commands:
FGTA-1 # show system interface port5
config system interface
edit "port5"
set vdom "root"
set ip 192.168.9.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set lldp-reception enable
set role wan
set snmp-index 7
next
end
FGTA-1 # show system interface port4
config system interface
edit "port4"
set vdom "root"
set ip 172.16.200.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 6
next
end
To configure a static route to connect to the Internet:
To configure a static route using the GUI, do the following:
- Go to Network > Static Routes.
- Click Create New.
- Set the Destination to 0.0.0.0/0.0.0.0.
- For the Interface, select port5.
- Set the Gateway Address to 192.168.9.254.
To configure a static route using the CLI, run the following commands:
FGTA-1 # show router static
config router static
edit 1
set gateway 192.168.9.254
set device "port5"
next
end
To configure IPsec VPN:
To configure IPsec VPN using the GUI, do the following:
- Go to VPN > IPsec Wizard.
- Configure VPN Setup:
- Enter the desired VPN name. In the example, this is "to_cloud".
- For Template Type, select Site to Site.
- For the Remote Device Type, select FortiGate.
- For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local FortiGate has a public external IP address, you must choose No NAT between sites.
- Click Next.
- Configure Authentication:
- For Remote Device, select IP Address.
- Enter an IP address of 40.115.111.31, which is the Azure FortiGate's port1 public IP address.
- For Outgoing Interface, select port5.
- Set the Authentication Method to Pre-shared Key.
- Enter a pre-shared key of 123456.
- Click Next.
- Configure Policy & Routing:
- For Local Interface, select port4.
- FortiOS automatically populates Local Subnets with 172.16.200.0/24.
- Set the Remote Subnets to 10.58.1.0/24, which is the Azure FortiGate's port2 subnet.
- For Internet Access, select None.
- Click Create.
To configure IPsec VPN using the CLI, run the following commands:
FGTA-1 # show vpn ipsec phase1-interface to_cloud
config vpn ipsec phase1-interface
edit "to_cloud"
set interface "port5"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: to_cloud (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 40.115.111.31
set psksecret ENC xxxxxx
next
end
FGTA-1 # show vpn ipsec phase2-interface to_cloud
config vpn ipsec phase2-interface
edit "to_cloud"
set phase1name "to_cloud"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: to_cloud (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "to_cloud_local"
set dst-name "to_cloud_remote"
next
end
FGTA-1 # show router static
config router static
edit 2
set device "to_cloud"
set comment "VPN: to_cloud (Created by VPN wizard)"
set dstaddr "to_cloud_remote"
next
edit 3
set distance 254
set comment "VPN: to_cloud (Created by VPN wizard)"
set blackhole enable
set dstaddr "to_cloud_remote"
next
end
FGTA-1 # show firewall policy
config firewall policy
edit 1
set name "vpn_to_cloud_local"
set uuid ef98b6d8-41d9-51e9-20c5-7a31a66dd557
set srcintf "port4"
set dstintf "to_cloud"
set srcaddr "to_cloud_local"
set dstaddr "to_cloud_remote"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: to_cloud (Created by VPN wizard)"
next
edit 2
set name "vpn_to_cloud_remote"
set uuid ef9b260c-41d9-51e9-cf9c-0a082dc52660
set srcintf "to_cloud"
set dstintf "port4"
set srcaddr "to_cloud_remote"
set dstaddr "to_cloud_local"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: to_cloud (Created by VPN wizard)"
next
end
Configuring the Azure FortiGate
To configure the interface:
To configure the interface using the GUI, do the following:
- In FortiOS on the Azure FortiGate, go to Network > Interfaces.
- Edit port2. Set the role to LAN and set an IP/Network Mask of 10.58.1.4/255.255.255.0. This is for the interface connected to the Azure local subnet.
To configure the interfaces using the CLI, run the following commands:
FGT-Azure # show system interface port2
config system interface
edit "port2"
set vdom "root"
set ip 10.58.1.4 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm
set type physical
set snmp-index 2
next
end
To configure IPsec VPN:
To configure IPsec VPN using the GUI, do the following:
- Go to VPN > IPsec Wizard.
- Configure VPN Setup:
- Enter the desired VPN name. In the example, this is "to_local".
- For Template Type, select Site to Site.
- For the Remote Device Type, select FortiGate.
- For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local FortiGate has a public external IP address, you must choose No NAT between sites.
- Click Next.
- Configure Authentication:
- For Incoming Interface, select port1.
- Set the Authentication Method to Pre-shared Key.
- Enter a pre-shared key of 123456.
- Click Next.
- Configure Policy & Routing:
- For Local Interface, select port2.
- FortiOS automatically populates Local Subnets with 10.58.1.0/24.
- Set the Remote Subnets to 172.16.200.0/24, which is the local FortiGate's port4 subnet.
- For Internet Access, select None.
- Click Create.
To configure IPsec VPN using the CLI, run the following commands:
FGT-Azure # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "to_local"
set type dynamic
set interface "port1"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dpd on-idle
set comments "VPN: to_local (Created by VPN wizard)"
set wizard-type dialup-fortigate
set psksecret ENC xxxxxx
set dpd-retryinterval 60
next
end
FGT-Azure # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "to_local"
set phase1name "to_local"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: to_local (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "to_local_local"
set dst-name "to_local_remote"
next
end
FGT-Azure # show firewall policy
config firewall policy
edit 1
set name "vpn_to_local_local"
set uuid 032b6000-41f4-51e9-acb8-b7e32128bb70
set srcintf "port2"
set dstintf "to_local"
set srcaddr "to_local_local"
set dstaddr "to_local_remote"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: to_local (Created by VPN wizard)"
next
edit 2
set name "vpn_to_local_remote"
set uuid 0343ee4a-41f4-51e9-a06a-d4a15d35a0a2
set srcintf "to_local"
set dstintf "port2"
set srcaddr "to_local_remote"
set dstaddr "to_local_local"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: to_local (Created by VPN wizard)"
next
end
To bring up the VPN tunnel on the local FortiGate:
The tunnel is down until you initiate connection from the local FortiGate.
- In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor.
- Click the to_cloud tunnel.
- Click Bring Up to bring up the VPN tunnel.
To verify the VPN tunnel on both the local FortiGate and the Azure FortiGate:
- In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor. It should look like the following:
- In FortiOS on the Azure FortiGate, go to Monitor > IPsec Monitor. It should look like the following:
To run diagnose commands:
- To show the local FortiGate's VPN status, run the following commands:
FGTA-1 # diagnose vpn ike gateway list
vd: root/0
name: to_cloud
version: 1
interface: port5 13
addr: 192.168.9.1:4500 -> 40.115.111.31:4500
created: 1042s ago
nat: me peer
IKE SA: created 1/1 established 1/1 time 400/400/400 ms
IPsec SA: created 1/1 established 1/1 time 130/130/130 ms
id/spi: 365 cc00c782040e9ec9/e07668adc21bd6a7
direction: initiator
status: established 1042-1041s ago = 400ms
proposal: aes128-sha256
key: 2793ba055ddab07a-83c804230bffd8de
lifetime/rekey: 86400/85058
DPD sent/recv: 00000000/0000000a
FGTA-1 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=to_cloud ver=1 serial=2 192.168.9.1:4500->40.115.111.31:4500 dst_mtu=1500
bound_if=13 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1
proxyid_num=1 child_num=0 refcnt=11 ilast=18 olast=58 ad=/0
stat: rxp=1 txp=2 rxb=16516 txb=16450
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=to_cloud proto=0 sa=1 ref=2 serial=1
src: 0:172.16.200.0/255.255.255.0:0
dst: 0:10.58.1.0/255.255.255.0:0
SA: ref=6 options=10226 type=00 soft=0 mtu=1422 expire=42217/0B replaywin=2048
seqno=3 esn=0 replaywin_lastseq=00000002 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=394f6923 esp=aes key=16 4ac11dd0916496e2e1edd610d83c7017
ah=sha1 key=20 8d0c08ab1ed0d96ae29d521ed954a6bcc270f863
enc: spi=5dc261b2 esp=aes key=16 c1b49a1251aa9bdb8b0ea205a687c794
ah=sha1 key=20 0693c8988ef609bc410d6024e72e576366b53fef
dec:pkts/bytes=1/16440, enc:pkts/bytes=2/16602
npu_flag=03 npu_rgwy=40.115.111.31 npu_lgwy=192.168.9.1 npu_selid=1 dec_npuid=1 enc_npuid=1
- To show the Azure FortiGate's VPN status, run the following commands:
FGT-Azure # diagnose vpn ike gateway list
vd: root/0
name: to_local_0
version: 1
interface: port1 3
addr: 10.58.0.4:4500 -> 208.91.115.10:64916
created: 1085s ago
nat: me peer
IKE SA: created 1/1 established 1/1 time 270/270/270 ms
IPsec SA: created 1/1 established 1/1 time 140/140/140 ms
id/spi: 0 cc00c782040e9ec9/e07668adc21bd6a7
direction: responder
status: established 1085-1084s ago = 270ms
proposal: aes128-sha256
key: 2793ba055ddab07a-83c804230bffd8de
lifetime/rekey: 86400/85045
DPD sent/recv: 0000000b/00000000
FGT-Azure # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=to_local ver=1 serial=1 10.58.0.4:0->0.0.0.0:0 dst_mtu=0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1
proxyid_num=0 child_num=1 refcnt=11 ilast=1096 olast=1096 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
------------------------------------------------------
name=to_local_0 ver=1 serial=2 10.58.0.4:4500->208.91.115.10:64916 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/976 options[03d0]=create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1
parent=to_local index=0
proxyid_num=1 child_num=0 refcnt=14 ilast=38 olast=38 ad=/0
stat: rxp=334 txp=334 rxb=53440 txb=28056
dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=11
natt: mode=keepalive draft=32 interval=10 remote_port=64916
proxyid=to_local proto=0 sa=1 ref=2 serial=1 add-route
src: 0:10.58.1.0/255.255.255.0:0
dst: 0:172.16.200.0/255.255.255.0:0
SA: ref=3 options=282 type=00 soft=0 mtu=1422 expire=42460/0B replaywin=2048
seqno=14f esn=0 replaywin_lastseq=0000014f itn=0 qat=0
life: type=01 bytes=0/0 timeout=43187/43200
dec: spi=5dc261b2 esp=aes key=16 c1b49a1251aa9bdb8b0ea205a687c794
ah=sha1 key=20 0693c8988ef609bc410d6024e72e576366b53fef
enc: spi=394f6923 esp=aes key=16 4ac11dd0916496e2e1edd610d83c7017
ah=sha1 key=20 8d0c08ab1ed0d96ae29d521ed954a6bcc270f863
dec:pkts/bytes=334/28056, enc:pkts/bytes=334/53440