Fortinet white logo
Fortinet white logo

Administration Guide

IPsec VPN to Azure with virtual network gateway

IPsec VPN to Azure with virtual network gateway

This example shows how to configure a site-to-site IPsec VPN tunnel to Microsoft Azure. It shows how to configure a tunnel between each site, avoiding overlapping subnets, so that a secure tunnel can be established.

Prerequisites

  • A FortiGate with an Internet-facing IP address
  • A valid Microsoft Azure account

Sample topology

Sample configuration

This sample configuration shows how to:

  1. Configure an Azure virtual network
  2. Specify the Azure DNS server
  3. Configure the Azure virtual network gateway
  4. Configure the Azure local network gateway
  5. Configure the FortiGate tunnel
  6. Create the Azure firewall object
  7. Create the FortiGate firewall policies
  8. Create the FortiGate static route
  9. Create the Azure site-to-site VPN connection
  10. Check the results
To configure an Azure virtual network:
  1. Log in to Azure and click New.
  2. In Search the Marketplace, type Virtual network.
  3. Click Virtual network to open the Virtual network pane.

  4. At the bottom of the Virtual network pane, click the Select a deployment model dropdown list and select Resource Manager.
  5. Click Create.

  6. On the Create virtual network pane, enter you virtual network settings, and click Create.

To specify the Azure DNS server:
  1. Open the virtual network you just created.
  2. Click DNS servers to open the DNS servers pane.
  3. Enter the IP address of the DNS server and click Save.

To configure the Azure virtual network gateway:
  1. In the portal dashboard, go to New.
  2. Search for Virtual Network Gateway and click it to open the Virtual network gateway pane.

  3. Click Create Virtual network gateways and enter the settings for your virtual network gateway.

  4. If needed, create a Public IP address.

  5. Click Create.

    Creating the virtual network gateway might take some time. When the provisioning is done, you'll receive a notification.

To configure the Azure local network gateway:
  1. In the portal dashboard, click All resources.
  2. Click Add and then click See all.

  3. In the Everything pane, search for Local network gateway and then click Create local network gateway.

  4. For the IP address, enter the local network gateway IP address, that is, the FortiGate's external IP address.

  5. Set the remaining values for your local network gateway and click Create.
To configure the FortiGate tunnel:
  1. In the FortiGate, go to VPN > IP Wizard.
  2. Enter a Name for the tunnel, click Custom, and then click Next.
  3. Configure the Network settings.
    1. For Remote Gateway, select Static IP Address and enter the IP address provided by Azure.
    2. For Interface, select wan1.
    3. For NAT Traversal, select Disable,
    4. For Dead Peer Detection, select On Idle.
    5. In the Authentication section, select
  4. Configure the Authentication settings.
    1. For Method, select Pre-shared Key and enter the Pre-shared Key.
    2. For IKE, select 2.
  5. Configure the Phase 1 Proposal settings.
    1. Set the Encryption and Authentication combination to the three supported encryption algorithm combinations accepted by Azure.
      • AES256 and SHA1
      • 3DES and SHA1
      • AES256 and SHA256
    2. For Diffie-Hellman Groups, select 2.
    3. Set Key Lifetime (seconds) to 28800.
  6. In Phase 2 Selectors, expand the Advanced section to configure the Phase 2 Proposal settings.
      1. Set the Encryption and Authentication combinations:

        • AES256 and SHA1
        • 3DES and SHA1
        • AES256 and SHA256
      2. Uncheck Enable Perfect Forward Secrecy (PFS).
      3. Set Key Lifetime (seconds) to 27000.
    • Click OK.
    To create the Azure firewall object:
    1. In the FortiGate, go to Policy & Objects > Addresses.
    2. Create a firewall object for the Azure VPN tunnel.
    To create the FortiGate firewall policies:
    1. In the FortiGate, go to Policy & Objects > Firewall Policy.
    2. Create a policy for the site-to-site connection that allows outgoing traffic.
      1. Set the Source address and Destination address using the firewall objects you just created.
      2. Disable NAT.
    3. Create another policy that allows incoming traffic.
      1. For this policy, reverse the Source address and Destination address.
    4. We recommend limiting the TCP maximum segment size (MSS) being sent and received so as to avoid packet drops and fragmentation.

      To do this, use the following CLI commands on both policies.

      config firewall policy
         edit <policy-id>
            set tcp-mss-sender 1350
            set tcp-mss-receiver 1350
         next
      end
    To create the FortiGate static route:
    1. In the FortiGate, go to Network > Static Routes.
    2. Create an IPv4 Static Route that forces outgoing traffic going to Azure to go through the route-based tunnel.
    3. Set the Administrative Distance to a value lower than the existing default route value.
    To create the Azure site-to-site VPN connection:
    1. In the Azure portal, locate and select your virtual network gateway.
    2. In the Settings pane, click Connections and then click Add.

    3. Enter the settings for your connection. Ensure the Shared Key (PSK) matches the Pre-shared Key for the FortiGate tunnel.
    To check the results:
    1. In the FortiGate, go to Monitor > IPsec Monitor and check that the tunnel is up. If the tunnel is down, right-click the tunnel and select Bring Up.
    2. In the FortiGate, go to Log & Report > Events.
      1. Select an event to view more information and verify the connection.
    3. In the Azure portal dashboard, click All resources and locate your virtual network gateway.
      1. In your virtual network gateway pane, click Connections to see the status of each connection.

      2. Click a connection to open the Essentials pane to view more information about that connection.
        • If the connection is successful, the Status shows Connected.
        • See the ingress and egress bytes to confirm traffic flowing through the tunnel.

    IPsec VPN to Azure with virtual network gateway

    IPsec VPN to Azure with virtual network gateway

    This example shows how to configure a site-to-site IPsec VPN tunnel to Microsoft Azure. It shows how to configure a tunnel between each site, avoiding overlapping subnets, so that a secure tunnel can be established.

    Prerequisites

    • A FortiGate with an Internet-facing IP address
    • A valid Microsoft Azure account

    Sample topology

    Sample configuration

    This sample configuration shows how to:

    1. Configure an Azure virtual network
    2. Specify the Azure DNS server
    3. Configure the Azure virtual network gateway
    4. Configure the Azure local network gateway
    5. Configure the FortiGate tunnel
    6. Create the Azure firewall object
    7. Create the FortiGate firewall policies
    8. Create the FortiGate static route
    9. Create the Azure site-to-site VPN connection
    10. Check the results
    To configure an Azure virtual network:
    1. Log in to Azure and click New.
    2. In Search the Marketplace, type Virtual network.
    3. Click Virtual network to open the Virtual network pane.

    4. At the bottom of the Virtual network pane, click the Select a deployment model dropdown list and select Resource Manager.
    5. Click Create.

    6. On the Create virtual network pane, enter you virtual network settings, and click Create.

    To specify the Azure DNS server:
    1. Open the virtual network you just created.
    2. Click DNS servers to open the DNS servers pane.
    3. Enter the IP address of the DNS server and click Save.

    To configure the Azure virtual network gateway:
    1. In the portal dashboard, go to New.
    2. Search for Virtual Network Gateway and click it to open the Virtual network gateway pane.

    3. Click Create Virtual network gateways and enter the settings for your virtual network gateway.

    4. If needed, create a Public IP address.

    5. Click Create.

      Creating the virtual network gateway might take some time. When the provisioning is done, you'll receive a notification.

    To configure the Azure local network gateway:
    1. In the portal dashboard, click All resources.
    2. Click Add and then click See all.

    3. In the Everything pane, search for Local network gateway and then click Create local network gateway.

    4. For the IP address, enter the local network gateway IP address, that is, the FortiGate's external IP address.

    5. Set the remaining values for your local network gateway and click Create.
    To configure the FortiGate tunnel:
    1. In the FortiGate, go to VPN > IP Wizard.
    2. Enter a Name for the tunnel, click Custom, and then click Next.
    3. Configure the Network settings.
      1. For Remote Gateway, select Static IP Address and enter the IP address provided by Azure.
      2. For Interface, select wan1.
      3. For NAT Traversal, select Disable,
      4. For Dead Peer Detection, select On Idle.
      5. In the Authentication section, select
    4. Configure the Authentication settings.
      1. For Method, select Pre-shared Key and enter the Pre-shared Key.
      2. For IKE, select 2.
    5. Configure the Phase 1 Proposal settings.
      1. Set the Encryption and Authentication combination to the three supported encryption algorithm combinations accepted by Azure.
        • AES256 and SHA1
        • 3DES and SHA1
        • AES256 and SHA256
      2. For Diffie-Hellman Groups, select 2.
      3. Set Key Lifetime (seconds) to 28800.
    6. In Phase 2 Selectors, expand the Advanced section to configure the Phase 2 Proposal settings.
        1. Set the Encryption and Authentication combinations:

          • AES256 and SHA1
          • 3DES and SHA1
          • AES256 and SHA256
        2. Uncheck Enable Perfect Forward Secrecy (PFS).
        3. Set Key Lifetime (seconds) to 27000.
      • Click OK.
      To create the Azure firewall object:
      1. In the FortiGate, go to Policy & Objects > Addresses.
      2. Create a firewall object for the Azure VPN tunnel.
      To create the FortiGate firewall policies:
      1. In the FortiGate, go to Policy & Objects > Firewall Policy.
      2. Create a policy for the site-to-site connection that allows outgoing traffic.
        1. Set the Source address and Destination address using the firewall objects you just created.
        2. Disable NAT.
      3. Create another policy that allows incoming traffic.
        1. For this policy, reverse the Source address and Destination address.
      4. We recommend limiting the TCP maximum segment size (MSS) being sent and received so as to avoid packet drops and fragmentation.

        To do this, use the following CLI commands on both policies.

        config firewall policy
           edit <policy-id>
              set tcp-mss-sender 1350
              set tcp-mss-receiver 1350
           next
        end
      To create the FortiGate static route:
      1. In the FortiGate, go to Network > Static Routes.
      2. Create an IPv4 Static Route that forces outgoing traffic going to Azure to go through the route-based tunnel.
      3. Set the Administrative Distance to a value lower than the existing default route value.
      To create the Azure site-to-site VPN connection:
      1. In the Azure portal, locate and select your virtual network gateway.
      2. In the Settings pane, click Connections and then click Add.

      3. Enter the settings for your connection. Ensure the Shared Key (PSK) matches the Pre-shared Key for the FortiGate tunnel.
      To check the results:
      1. In the FortiGate, go to Monitor > IPsec Monitor and check that the tunnel is up. If the tunnel is down, right-click the tunnel and select Bring Up.
      2. In the FortiGate, go to Log & Report > Events.
        1. Select an event to view more information and verify the connection.
      3. In the Azure portal dashboard, click All resources and locate your virtual network gateway.
        1. In your virtual network gateway pane, click Connections to see the status of each connection.

        2. Click a connection to open the Essentials pane to view more information about that connection.
          • If the connection is successful, the Status shows Connected.
          • See the ingress and egress bytes to confirm traffic flowing through the tunnel.