IPsec VPN to an Azure with virtual WAN

This is a sample configuration of an IPsec site-to-site VPN connection between an on-premise FortiGate and an Azure virtual network (VNet). This example uses Azure virtual WAN (vWAN) to establish the VPN connection.

Azure must use IPsec v2 for this configuration.
Azure uses overlapped subnet IP addresses for the IPsec interfaces.

To configure IKEv2 IPsec site-to-site VPN to an Azure VPN gateway:

In the Azure management portal, configure vWAN-related settings as described in Tutorial: Create a Site-to-Site connection using Azure Virtual WAN.
If a custom BGP IP address is configured on Azure's vWAN, such as 169.254.21.6 and 169.254.21.7, you must configure the FortiGate remote-IP to the corresponding Custom BGP IP Address value. If a custom BGP IP address is not configured, FortiGate remote-IPs should point to the Default BGP IP Address value.
Download the VPN configuration. The following shows an example VPN configuration:
[ {"configurationVersion":{"LastUpdatedTime":"2019-07-16T22:16:28.0409002Z","Version":"be5c5787-b903-43b1-a237-49eae1b373e4"},"vpnSiteConfiguration":{"Name":"toaws","IPAddress":"3.220.252.93","BgpSetting":{"Asn":7225,"BgpPeeringAddress":"169.254.24.25","PeerWeight":32768},"LinkName":"toaws"},"vpnSiteConnections":[{"hubConfiguration":{"AddressSpace":"10.1.0.0/16","Region":"West US","ConnectedSubnets":["10.2.0.0/16"]},"gatewayConfiguration":{"IpAddresses":{"Instance0":"52.180.90.47","Instance1":"52.180.89.94"},"BgpSetting":{"Asn":65515,"BgpPeeringAddresses":{"Instance0":"10.1.0.7","Instance1":"10.1.0.6"},"PeerWeight":0}},"connectionConfiguration":{"IsBgpEnabled":true,"PSK":"Fortinet123#","IPsecParameters":{"SADataSizeInKilobytes":102400000,"SALifeTimeInSeconds":3600}}}]} ]
Configure the following on the FortiGate. Note for set proposal, you can select from several proposals.
config vpn ipsec phase1-interface

edit "toazure1"

set interface "port1"

set ike-version 2

set keylife 28800

set peertype any

set proposal aes256-sha1

set dhgrp 2

set remote-gw 52.180.90.47

set psksecret **********

next

edit "toazure2"

set interface "port1"

set ike-version 2

set keylife 28800

set peertype any

set proposal aes256-sha1

set dhgrp 2

set remote-gw 52.180.89.94

set psksecret **********

next

end

config vpn ipsec phase2-interface

edit "toazure1"

set phase1name "toazure1"

set proposal aes256-sha1

set dhgrp 2

set keylifeseconds 3600

next

edit "toazure2"

set phase1name "toazure2"

set proposal aes256-sha1

set dhgrp 2

set keylifeseconds 3600

next

end

config system settings

set allow-subnet-overlap enable

end

config system interface

edit "toazure1"

set vdom "root"

set ip 169.254.24.25 255.255.255.255

set type tunnel

set remote-ip 10.1.0.7 255.255.255.255

set snmp-index 4

set interface "port1"

next

edit "toazure2"

set vdom "root"

set ip 169.254.24.25 255.255.255.255

set type tunnel

set remote-ip 10.1.0.6 255.255.255.255

set snmp-index 5

set interface "port1"

next

end

config router bgp

set as 7225

set router-id 169.254.24.25

config neighbor

edit "10.1.0.7"

set remote-as 65515

next

edit "10.1.0.6"

set remote-as 65515

next

end

config network

edit 1

set prefix 172.30.101.0 255.255.255.0

next

end

config redistribute "connected"

set status enable

end

config redistribute "rip"

end

config redistribute "ospf"

end

config redistribute "static"

end

config redistribute "isis"

end

config redistribute6 "connected"

end

config redistribute6 "rip"

end

config redistribute6 "ospf"

end

config redistribute6 "static"

end

config redistribute6 "isis"

end

end

Run diagnose vpn tunnel list. If the configuration was successful, the output should resemble the following:

name=toazure1 ver=2 serial=3 172.30.1.83:4500->52.180.90.47:4500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=15 ilast=16 olast=36 ad=/0
stat: rxp=41 txp=41 rxb=5104 txb=2209
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
natt: mode=keepalive draft=0 interval=10 remote_port=4500
proxyid=toazure1 proto=0 sa=1 ref=2 serial=4
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10226 type=00 soft=0 mtu=8926 expire=2463/0B replaywin=2048
       seqno=2a esn=0 replaywin_lastseq=00000029 itn=0
  life: type=01 bytes=0/0 timeout=3300/3600
  dec: spi=c13f7928 esp=aes key=32 009a86bb0d6f5fee66af7b8232c8c0f22e6ec5c61ba19c93569bd0cd115910a9
       ah=sha1 key=20 f05bfeb0060afa89d4afdfac35960a8a7a4d4856
  enc: spi=b40a6c70 esp=aes key=32 a1e361075267ba72b39924c5e6c766fd0b08e0548476de2792ee72057fe60d1d
       ah=sha1 key=20 b1d24bedb0eb8fbd26de3e7c0b0a3a799548f52f
  dec:pkts/bytes=41/2186, enc:pkts/bytes=41/5120
------------------------------------------------------
name=toazure2 ver=2 serial=4 172.30.1.83:4500->52.180.89.94:4500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=16 ilast=16 olast=16 ad=/0
stat: rxp=40 txp=40 rxb=4928 txb=2135
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
natt: mode=keepalive draft=0 interval=10 remote_port=4500
proxyid=toazure2 proto=0 sa=1 ref=2 serial=4
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10626 type=00 soft=0 mtu=8926 expire=2427/0B replaywin=2048
       seqno=29 esn=0 replaywin_lastseq=00000028 itn=0
  life: type=01 bytes=0/0 timeout=3299/3600
  dec: spi=c13f791d esp=aes key=32 759898cbb7fafe448116b1fb0fb6d2f0eb99621ea6ed8dd4417ffdb901eb82be
       ah=sha1 key=20 533ec5dc8a1910221e7742b12f9de1b41205622c
  enc: spi=67934bfe esp=aes key=32 9b5710bfb4ba784722241ec371ba8066629febcd75da6f8471915bdeb874ca80
       ah=sha1 key=20 5099fed7edac2b960294094f1a8188ab42f34d7b
  dec:pkts/bytes=40/2087, enc:pkts/bytes=40/4976

 

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [5/0] via 172.30.1.1, port1
B       10.1.0.0/16 [20/0] via 10.1.0.6, toazure2, 00:15:01
C       10.1.0.6/32 is directly connected, toazure2
C       10.1.0.7/32 is directly connected, toazure1
B       10.2.0.0/16 [20/0] via 10.1.0.6, toazure2, 00:15:01
C       169.254.24.25/32 is directly connected, toazure1
                         is directly connected, toazure2
C       172.30.1.0/24 is directly connected, port1
C       172.30.101.0/24 is directly connected, port2

IPsec VPN to an Azure with virtual WAN

Azure must use IPsec v2 for this configuration.
Azure uses overlapped subnet IP addresses for the IPsec interfaces.

To configure IKEv2 IPsec site-to-site VPN to an Azure VPN gateway:

In the Azure management portal, configure vWAN-related settings as described in Tutorial: Create a Site-to-Site connection using Azure Virtual WAN.

If a custom BGP IP address is configured on Azure's vWAN, such as 169.254.21.6 and 169.254.21.7, you must configure the FortiGate remote-IP to the corresponding Custom BGP IP Address value. If a custom BGP IP address is not configured, FortiGate remote-IPs should point to the Default BGP IP Address value.

Download the VPN configuration. The following shows an example VPN configuration:

[ {"configurationVersion":{"LastUpdatedTime":"2019-07-16T22:16:28.0409002Z","Version":"be5c5787-b903-43b1-a237-49eae1b373e4"},"vpnSiteConfiguration":{"Name":"toaws","IPAddress":"3.220.252.93","BgpSetting":{"Asn":7225,"BgpPeeringAddress":"169.254.24.25","PeerWeight":32768},"LinkName":"toaws"},"vpnSiteConnections":[{"hubConfiguration":{"AddressSpace":"10.1.0.0/16","Region":"West US","ConnectedSubnets":["10.2.0.0/16"]},"gatewayConfiguration":{"IpAddresses":{"Instance0":"52.180.90.47","Instance1":"52.180.89.94"},"BgpSetting":{"Asn":65515,"BgpPeeringAddresses":{"Instance0":"10.1.0.7","Instance1":"10.1.0.6"},"PeerWeight":0}},"connectionConfiguration":{"IsBgpEnabled":true,"PSK":"Fortinet123#","IPsecParameters":{"SADataSizeInKilobytes":102400000,"SALifeTimeInSeconds":3600}}}]} ]

Configure the following on the FortiGate. Note for set proposal, you can select from several proposals.

config vpn ipsec phase1-interface

edit "toazure1"

set interface "port1"

set ike-version 2

set keylife 28800

set peertype any

set proposal aes256-sha1

set dhgrp 2

set remote-gw 52.180.90.47

set psksecret **********

edit "toazure2"

set interface "port1"

set ike-version 2

set keylife 28800

set peertype any

set proposal aes256-sha1

set dhgrp 2

set remote-gw 52.180.89.94

set psksecret **********

end

config vpn ipsec phase2-interface

edit "toazure1"

set phase1name "toazure1"

set proposal aes256-sha1

set dhgrp 2

set keylifeseconds 3600

edit "toazure2"

set phase1name "toazure2"

set proposal aes256-sha1

set dhgrp 2

set keylifeseconds 3600

end

config system settings

set allow-subnet-overlap enable

end

config system interface

edit "toazure1"

set vdom "root"

set ip 169.254.24.25 255.255.255.255

set type tunnel

set remote-ip 10.1.0.7 255.255.255.255

set snmp-index 4

set interface "port1"

edit "toazure2"

set vdom "root"

set ip 169.254.24.25 255.255.255.255

set type tunnel

set remote-ip 10.1.0.6 255.255.255.255

set snmp-index 5

set interface "port1"

end

config router bgp

set as 7225

set router-id 169.254.24.25

config neighbor

edit "10.1.0.7"

set remote-as 65515

edit "10.1.0.6"

set remote-as 65515

end

config network

edit 1

set prefix 172.30.101.0 255.255.255.0

end

config redistribute "connected"

set status enable

end

config redistribute "rip"

end

config redistribute "ospf"

end

config redistribute "static"

end

config redistribute "isis"

end

config redistribute6 "connected"

end

config redistribute6 "rip"

end

config redistribute6 "ospf"

end

config redistribute6 "static"

end

config redistribute6 "isis"

end

Run diagnose vpn tunnel list. If the configuration was successful, the output should resemble the following:

name=toazure1 ver=2 serial=3 172.30.1.83:4500->52.180.90.47:4500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=15 ilast=16 olast=36 ad=/0
stat: rxp=41 txp=41 rxb=5104 txb=2209
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
natt: mode=keepalive draft=0 interval=10 remote_port=4500
proxyid=toazure1 proto=0 sa=1 ref=2 serial=4
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10226 type=00 soft=0 mtu=8926 expire=2463/0B replaywin=2048
       seqno=2a esn=0 replaywin_lastseq=00000029 itn=0
  life: type=01 bytes=0/0 timeout=3300/3600
  dec: spi=c13f7928 esp=aes key=32 009a86bb0d6f5fee66af7b8232c8c0f22e6ec5c61ba19c93569bd0cd115910a9
       ah=sha1 key=20 f05bfeb0060afa89d4afdfac35960a8a7a4d4856
  enc: spi=b40a6c70 esp=aes key=32 a1e361075267ba72b39924c5e6c766fd0b08e0548476de2792ee72057fe60d1d
       ah=sha1 key=20 b1d24bedb0eb8fbd26de3e7c0b0a3a799548f52f
  dec:pkts/bytes=41/2186, enc:pkts/bytes=41/5120
------------------------------------------------------
name=toazure2 ver=2 serial=4 172.30.1.83:4500->52.180.89.94:4500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=16 ilast=16 olast=16 ad=/0
stat: rxp=40 txp=40 rxb=4928 txb=2135
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
natt: mode=keepalive draft=0 interval=10 remote_port=4500
proxyid=toazure2 proto=0 sa=1 ref=2 serial=4
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10626 type=00 soft=0 mtu=8926 expire=2427/0B replaywin=2048
       seqno=29 esn=0 replaywin_lastseq=00000028 itn=0
  life: type=01 bytes=0/0 timeout=3299/3600
  dec: spi=c13f791d esp=aes key=32 759898cbb7fafe448116b1fb0fb6d2f0eb99621ea6ed8dd4417ffdb901eb82be
       ah=sha1 key=20 533ec5dc8a1910221e7742b12f9de1b41205622c
  enc: spi=67934bfe esp=aes key=32 9b5710bfb4ba784722241ec371ba8066629febcd75da6f8471915bdeb874ca80
       ah=sha1 key=20 5099fed7edac2b960294094f1a8188ab42f34d7b
  dec:pkts/bytes=40/2087, enc:pkts/bytes=40/4976

 

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

S*      0.0.0.0/0 [5/0] via 172.30.1.1, port1
B       10.1.0.0/16 [20/0] via 10.1.0.6, toazure2, 00:15:01
C       10.1.0.6/32 is directly connected, toazure2
C       10.1.0.7/32 is directly connected, toazure1
B       10.2.0.0/16 [20/0] via 10.1.0.6, toazure2, 00:15:01
C       169.254.24.25/32 is directly connected, toazure1
                         is directly connected, toazure2
C       172.30.1.0/24 is directly connected, port1
C       172.30.101.0/24 is directly connected, port2

Fortinet Document Library

Version:

Version:

Version:

Version:

Table of Contents

Administration Guide

IPsec VPN to an Azure with virtual WAN

To configure IKEv2 IPsec site-to-site VPN to an Azure VPN gateway:

IPsec VPN to an Azure with virtual WAN

To configure IKEv2 IPsec site-to-site VPN to an Azure VPN gateway: