IPsec VPN to an Azure with virtual WAN

This is a sample configuration of an IPsec site-to-site VPN connection between an on-premise FortiGate and an Azure virtual network (VNet). This example uses Azure virtual WAN (vWAN) to establish the VPN connection.

  • Azure must use IPsec v2 for this configuration.
  • Azure uses overlapped subnet IP addresses for the IPsec interfaces.
To configure IKEv2 IPsec site-to-site VPN to an Azure VPN gateway:
  1. In the Azure management portal, configure vWAN-related settings as described in Tutorial: Create a Site-to-Site connection using Azure Virtual WAN.

    If a custom BGP IP address is configured on Azure's vWAN, such as and, you must configure the FortiGate remote-IP to the corresponding Custom BGP IP Address value. If a custom BGP IP address is not configured, FortiGate remote-IPs should point to the Default BGP IP Address value.

  2. Download the VPN configuration. The following shows an example VPN configuration:

    [ {"configurationVersion":{"LastUpdatedTime":"2019-07-16T22:16:28.0409002Z","Version":"be5c5787-b903-43b1-a237-49eae1b373e4"},"vpnSiteConfiguration":{"Name":"toaws","IPAddress":"","BgpSetting":{"Asn":7225,"BgpPeeringAddress":"","PeerWeight":32768},"LinkName":"toaws"},"vpnSiteConnections":[{"hubConfiguration":{"AddressSpace":"","Region":"West US","ConnectedSubnets":[