Fortinet black logo

Azure Administration Guide

Connecting a local FortiGate to an Azure FortiGate via site-to-site VPN

Copy Link
Copy Doc ID df509335-8675-11eb-9995-00505692583a:30680
Download PDF

Connecting a local FortiGate to an Azure FortiGate via site-to-site VPN

This guide provides a sample configuration of a site-to-site VPN connection from a local FortiGate to an Azure FortiGate via site-to-site IPsec VPN with static routing.

The following shows the topology for this sample configuration:

This topology consists of the following:

  • A local FortiGate is located in a local environment. Determine if your FortiGate has a publicly accessible IP address or if it is behind NAT. In this sample configuration, the local FortiGate is behind NAT.
  • A FortiGate located in Azure with port1 connected to WAN and port2 connected to local LAN.

This configuration consists of the following steps:

  1. Configure the local FortiGate:
    1. Configure the interfaces.
    2. Configure a static route to connect to the Internet.
    3. Configure IPsec VPN.
  2. Configure the Azure FortiGate:
    1. Configure the interface.
    2. Configure IPsec VPN.
  3. Bring up the VPN tunnel on the local FortiGate.
  4. Verify the VPN tunnel on both the local and Azure FortiGates.
  5. Run diagnose commands.

Configuring the local FortiGate

To configure the interfaces:

To configure the interfaces using the GUI, do the following:

  1. In FortiOS on the local FortiGate, go to Network > Interfaces.
  2. Edit port5. Set the role to WAN and set an IP/Network Mask of 192.168.5.1/255.255.255.0. This is for the interface connected to the Internet.
  3. Edit port4. Set the role to LAN and set an IP/Network Mask of 172.16.200.1/255.255.255.0. This is for the interface connected to the local subnet.

To configure the interfaces using the CLI, run the following commands:

config system interface

edit "port5"

set vdom "root"

set ip 192.168.9.1 255.255.255.0

set allowaccess ping https ssh

set type physical

set lldp-reception enable

set role wan

set snmp-index 7

next

end

config system interface

edit "port4"

set vdom "root"

set ip 172.16.200.1 255.255.255.0

set allowaccess ping https ssh

set type physical

set device-identification enable

set lldp-transmission enable

set role lan

set snmp-index 6

next

end

To configure a static route to connect to the Internet:

To configure a static route using the GUI, do the following:

  1. Go to Network > Static Routes.
  2. Click Create New.
  3. Set the Destination to 0.0.0.0/0.0.0.0.
  4. For the Interface, select port5.
  5. Set the Gateway Address to 192.168.9.254.

To configure a static route using the CLI, run the following commands:

FGTA-1 # show router static

config router static

edit 1

set gateway 192.168.9.254

set device "port5"

next

end

To configure IPsec VPN:

To configure IPsec VPN using the GUI, do the following:

  1. Go to VPN > IPsec Wizard.
  2. Configure VPN Setup:
    1. Enter the desired VPN name. In the example, this is "to_cloud".
    2. For Template Type, select Site to Site.
    3. For the Remote Device Type, select FortiGate.
    4. For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local FortiGate has a public external IP address, you must choose No NAT between sites.
    5. Click Next.
  3. Configure Authentication:
    1. For Remote Device, select IP Address.
    2. Enter an IP address of 40.115.111.31, which is the Azure FortiGate's port1 public IP address.
    3. For Outgoing Interface, select port5.
    4. Set the Authentication Method to Pre-shared Key.
    5. Enter a pre-shared key of 123456.
    6. Click Next.
  4. Configure Policy & Routing:
    1. For Local Interface, select port4.
    2. FortiOS automatically populates Local Subnets with 172.16.200.0/24.
    3. Set the Remote Subnets to 10.58.1.0/24, which is the Azure FortiGate's port2 subnet.
    4. For Internet Access, select None.
    5. Click Create.

To configure IPsec VPN using the CLI, run the following commands:

FGTA-1 # show vpn ipsec phase1-interface to_cloud

config vpn ipsec phase1-interface

edit "to_cloud"

set interface "port5"

set peertype any

set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set comments "VPN: to_cloud (Created by VPN wizard)"

set wizard-type static-fortigate

set remote-gw 40.115.111.31

set psksecret ENC xxxxxx

next

end

FGTA-1 # show vpn ipsec phase2-interface to_cloud

config vpn ipsec phase2-interface

edit "to_cloud"

set phase1name "to_cloud"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set comments "VPN: to_cloud (Created by VPN wizard)"

set src-addr-type name

set dst-addr-type name

set src-name "to_cloud_local"

set dst-name "to_cloud_remote"

next

end

FGTA-1 # show router static

config router static

edit 2

set device "to_cloud"

set comment "VPN: to_cloud (Created by VPN wizard)"

set dstaddr "to_cloud_remote"

next

edit 3

set distance 254

set comment "VPN: to_cloud (Created by VPN wizard)"

set blackhole enable

set dstaddr "to_cloud_remote"

next

end

FGTA-1 # show firewall policy

config firewall policy

edit 1

set name "vpn_to_cloud_local"

set uuid ef98b6d8-41d9-51e9-20c5-7a31a66dd557

set srcintf "port4"

set dstintf "to_cloud"

set srcaddr "to_cloud_local"

set dstaddr "to_cloud_remote"

set action accept

set schedule "always"

set service "ALL"

set comments "VPN: to_cloud (Created by VPN wizard)"

next

edit 2

set name "vpn_to_cloud_remote"

set uuid ef9b260c-41d9-51e9-cf9c-0a082dc52660

set srcintf "to_cloud"

set dstintf "port4"

set srcaddr "to_cloud_remote"

set dstaddr "to_cloud_local"

set action accept

set schedule "always"

set service "ALL"

set comments "VPN: to_cloud (Created by VPN wizard)"

next

end

Configuring the Azure FortiGate

To configure the interface:

To configure the interface using the GUI, do the following:

  1. In FortiOS on the Azure FortiGate, go to Network > Interfaces.
  2. Edit port2. Set the role to LAN and set an IP/Network Mask of 10.58.1.4/255.255.255.0. This is for the interface connected to the Azure local subnet.

To configure the interfaces using the CLI, run the following commands:

FGT-Azure # show system interface port2

config system interface

edit "port2"

set vdom "root"

set ip 10.58.1.4 255.255.255.0

set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

set type physical

set snmp-index 2

next

end

To configure IPsec VPN:

To configure IPsec VPN using the GUI, do the following:

  1. Go to VPN > IPsec Wizard.
  2. Configure VPN Setup:
    1. Enter the desired VPN name. In the example, this is "to_local".
    2. For Template Type, select Site to Site.
    3. For the Remote Device Type, select FortiGate.
    4. For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local FortiGate has a public external IP address, you must choose No NAT between sites.
    5. Click Next.
  3. Configure Authentication:
    1. For Incoming Interface, select port1.
    2. Set the Authentication Method to Pre-shared Key.
    3. Enter a pre-shared key of 123456.
    4. Click Next.
  4. Configure Policy & Routing:
    1. For Local Interface, select port2.
    2. FortiOS automatically populates Local Subnets with 10.58.1.0/24.
    3. Set the Remote Subnets to 172.16.200.0/24, which is the local FortiGate's port4 subnet.
    4. For Internet Access, select None.
    5. Click Create.

To configure IPsec VPN using the CLI, run the following commands:

FGT-Azure # show vpn ipsec phase1-interface

config vpn ipsec phase1-interface

edit "to_local"

set type dynamic

set interface "port1"

set peertype any

set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set dpd on-idle

set comments "VPN: to_local (Created by VPN wizard)"

set wizard-type dialup-fortigate

set psksecret ENC xxxxxx

set dpd-retryinterval 60

next

end

FGT-Azure # show vpn ipsec phase2-interface

config vpn ipsec phase2-interface

edit "to_local"

set phase1name "to_local"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set comments "VPN: to_local (Created by VPN wizard)"

set src-addr-type name

set dst-addr-type name

set src-name "to_local_local"

set dst-name "to_local_remote"

next

end

FGT-Azure # show firewall policy

config firewall policy

edit 1

set name "vpn_to_local_local"

set uuid 032b6000-41f4-51e9-acb8-b7e32128bb70

set srcintf "port2"

set dstintf "to_local"

set srcaddr "to_local_local"

set dstaddr "to_local_remote"

set action accept

set schedule "always"

set service "ALL"

set comments "VPN: to_local (Created by VPN wizard)"

next

edit 2

set name "vpn_to_local_remote"

set uuid 0343ee4a-41f4-51e9-a06a-d4a15d35a0a2

set srcintf "to_local"

set dstintf "port2"

set srcaddr "to_local_remote"

set dstaddr "to_local_local"

set action accept

set schedule "always"

set service "ALL"

set comments "VPN: to_local (Created by VPN wizard)"

next

end

To bring up the VPN tunnel on the local FortiGate:

The tunnel is down until you initiate connection from the local FortiGate.

  1. In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor.
  2. Click the to_cloud tunnel.
  3. Click Bring Up to bring up the VPN tunnel.
To verify the VPN tunnel on both the local FortiGate and the Azure FortiGate:
  1. In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor. It should look like the following:

  2. In FortiOS on the Azure FortiGate, go to Monitor > IPsec Monitor. It should look like the following:

To run diagnose commands:
  1. To show the local FortiGate's VPN status, run the following commands:

    FGTA-1 # diagnose vpn ike gateway list

    vd: root/0

    name: to_cloud

    version: 1

    interface: port5 13

    addr: 192.168.9.1:4500 -> 40.115.111.31:4500

    created: 1042s ago

    nat: me peer

    IKE SA: created 1/1 established 1/1 time 400/400/400 ms

    IPsec SA: created 1/1 established 1/1 time 130/130/130 ms

    id/spi: 365 cc00c782040e9ec9/e07668adc21bd6a7

    direction: initiator

    status: established 1042-1041s ago = 400ms

    proposal: aes128-sha256

    key: 2793ba055ddab07a-83c804230bffd8de

    lifetime/rekey: 86400/85058

    DPD sent/recv: 00000000/0000000a

    FGTA-1 # diagnose vpn tunnel list

    list all ipsec tunnel in vd 0

    ------------------------------------------------------

    name=to_cloud ver=1 serial=2 192.168.9.1:4500->40.115.111.31:4500 dst_mtu=1500

    bound_if=13 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

    proxyid_num=1 child_num=0 refcnt=11 ilast=18 olast=58 ad=/0

    stat: rxp=1 txp=2 rxb=16516 txb=16450

    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

    natt: mode=keepalive draft=32 interval=10 remote_port=4500

    proxyid=to_cloud proto=0 sa=1 ref=2 serial=1

    src: 0:172.16.200.0/255.255.255.0:0

    dst: 0:10.58.1.0/255.255.255.0:0

    SA: ref=6 options=10226 type=00 soft=0 mtu=1422 expire=42217/0B replaywin=2048

    seqno=3 esn=0 replaywin_lastseq=00000002 itn=0 qat=0

    life: type=01 bytes=0/0 timeout=42903/43200

    dec: spi=394f6923 esp=aes key=16 4ac11dd0916496e2e1edd610d83c7017

    ah=sha1 key=20 8d0c08ab1ed0d96ae29d521ed954a6bcc270f863

    enc: spi=5dc261b2 esp=aes key=16 c1b49a1251aa9bdb8b0ea205a687c794

    ah=sha1 key=20 0693c8988ef609bc410d6024e72e576366b53fef

    dec:pkts/bytes=1/16440, enc:pkts/bytes=2/16602

    npu_flag=03 npu_rgwy=40.115.111.31 npu_lgwy=192.168.9.1 npu_selid=1 dec_npuid=1 enc_npuid=1

  2. To show the Azure FortiGate's VPN status, run the following commands:

    FGT-Azure # diagnose vpn ike gateway list

    vd: root/0

    name: to_local_0

    version: 1

    interface: port1 3

    addr: 10.58.0.4:4500 -> 208.91.115.10:64916

    created: 1085s ago

    nat: me peer

    IKE SA: created 1/1 established 1/1 time 270/270/270 ms

    IPsec SA: created 1/1 established 1/1 time 140/140/140 ms

    id/spi: 0 cc00c782040e9ec9/e07668adc21bd6a7

    direction: responder

    status: established 1085-1084s ago = 270ms

    proposal: aes128-sha256

    key: 2793ba055ddab07a-83c804230bffd8de

    lifetime/rekey: 86400/85045

    DPD sent/recv: 0000000b/00000000

    FGT-Azure # diagnose vpn tunnel list

    list all ipsec tunnel in vd 0

    ------------------------------------------------------

    name=to_local ver=1 serial=1 10.58.0.4:0->0.0.0.0:0 dst_mtu=0

    bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

    proxyid_num=0 child_num=1 refcnt=11 ilast=1096 olast=1096 ad=/0

    stat: rxp=0 txp=0 rxb=0 txb=0

    dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0

    natt: mode=none draft=0 interval=0 remote_port=0

    ------------------------------------------------------

    name=to_local_0 ver=1 serial=2 10.58.0.4:4500->208.91.115.10:64916 dst_mtu=1500

    bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/976 options[03d0]=create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1

    parent=to_local index=0

    proxyid_num=1 child_num=0 refcnt=14 ilast=38 olast=38 ad=/0

    stat: rxp=334 txp=334 rxb=53440 txb=28056

    dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=11

    natt: mode=keepalive draft=32 interval=10 remote_port=64916

    proxyid=to_local proto=0 sa=1 ref=2 serial=1 add-route

    src: 0:10.58.1.0/255.255.255.0:0

    dst: 0:172.16.200.0/255.255.255.0:0

    SA: ref=3 options=282 type=00 soft=0 mtu=1422 expire=42460/0B replaywin=2048

    seqno=14f esn=0 replaywin_lastseq=0000014f itn=0 qat=0

    life: type=01 bytes=0/0 timeout=43187/43200

    dec: spi=5dc261b2 esp=aes key=16 c1b49a1251aa9bdb8b0ea205a687c794

    ah=sha1 key=20 0693c8988ef609bc410d6024e72e576366b53fef

    enc: spi=394f6923 esp=aes key=16 4ac11dd0916496e2e1edd610d83c7017

    ah=sha1 key=20 8d0c08ab1ed0d96ae29d521ed954a6bcc270f863

    dec:pkts/bytes=334/28056, enc:pkts/bytes=334/53440

Connecting a local FortiGate to an Azure FortiGate via site-to-site VPN

This guide provides a sample configuration of a site-to-site VPN connection from a local FortiGate to an Azure FortiGate via site-to-site IPsec VPN with static routing.

The following shows the topology for this sample configuration:

This topology consists of the following:

  • A local FortiGate is located in a local environment. Determine if your FortiGate has a publicly accessible IP address or if it is behind NAT. In this sample configuration, the local FortiGate is behind NAT.
  • A FortiGate located in Azure with port1 connected to WAN and port2 connected to local LAN.

This configuration consists of the following steps:

  1. Configure the local FortiGate:
    1. Configure the interfaces.
    2. Configure a static route to connect to the Internet.
    3. Configure IPsec VPN.
  2. Configure the Azure FortiGate:
    1. Configure the interface.
    2. Configure IPsec VPN.
  3. Bring up the VPN tunnel on the local FortiGate.
  4. Verify the VPN tunnel on both the local and Azure FortiGates.
  5. Run diagnose commands.

Configuring the local FortiGate

To configure the interfaces:

To configure the interfaces using the GUI, do the following:

  1. In FortiOS on the local FortiGate, go to Network > Interfaces.
  2. Edit port5. Set the role to WAN and set an IP/Network Mask of 192.168.5.1/255.255.255.0. This is for the interface connected to the Internet.
  3. Edit port4. Set the role to LAN and set an IP/Network Mask of 172.16.200.1/255.255.255.0. This is for the interface connected to the local subnet.

To configure the interfaces using the CLI, run the following commands:

config system interface

edit "port5"

set vdom "root"

set ip 192.168.9.1 255.255.255.0

set allowaccess ping https ssh

set type physical

set lldp-reception enable

set role wan

set snmp-index 7

next

end

config system interface

edit "port4"

set vdom "root"

set ip 172.16.200.1 255.255.255.0

set allowaccess ping https ssh

set type physical

set device-identification enable

set lldp-transmission enable

set role lan

set snmp-index 6

next

end

To configure a static route to connect to the Internet:

To configure a static route using the GUI, do the following:

  1. Go to Network > Static Routes.
  2. Click Create New.
  3. Set the Destination to 0.0.0.0/0.0.0.0.
  4. For the Interface, select port5.
  5. Set the Gateway Address to 192.168.9.254.

To configure a static route using the CLI, run the following commands:

FGTA-1 # show router static

config router static

edit 1

set gateway 192.168.9.254

set device "port5"

next

end

To configure IPsec VPN:

To configure IPsec VPN using the GUI, do the following:

  1. Go to VPN > IPsec Wizard.
  2. Configure VPN Setup:
    1. Enter the desired VPN name. In the example, this is "to_cloud".
    2. For Template Type, select Site to Site.
    3. For the Remote Device Type, select FortiGate.
    4. For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local FortiGate has a public external IP address, you must choose No NAT between sites.
    5. Click Next.
  3. Configure Authentication:
    1. For Remote Device, select IP Address.
    2. Enter an IP address of 40.115.111.31, which is the Azure FortiGate's port1 public IP address.
    3. For Outgoing Interface, select port5.
    4. Set the Authentication Method to Pre-shared Key.
    5. Enter a pre-shared key of 123456.
    6. Click Next.
  4. Configure Policy & Routing:
    1. For Local Interface, select port4.
    2. FortiOS automatically populates Local Subnets with 172.16.200.0/24.
    3. Set the Remote Subnets to 10.58.1.0/24, which is the Azure FortiGate's port2 subnet.
    4. For Internet Access, select None.
    5. Click Create.

To configure IPsec VPN using the CLI, run the following commands:

FGTA-1 # show vpn ipsec phase1-interface to_cloud

config vpn ipsec phase1-interface

edit "to_cloud"

set interface "port5"

set peertype any

set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set comments "VPN: to_cloud (Created by VPN wizard)"

set wizard-type static-fortigate

set remote-gw 40.115.111.31

set psksecret ENC xxxxxx

next

end

FGTA-1 # show vpn ipsec phase2-interface to_cloud

config vpn ipsec phase2-interface

edit "to_cloud"

set phase1name "to_cloud"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set comments "VPN: to_cloud (Created by VPN wizard)"

set src-addr-type name

set dst-addr-type name

set src-name "to_cloud_local"

set dst-name "to_cloud_remote"

next

end

FGTA-1 # show router static

config router static

edit 2

set device "to_cloud"

set comment "VPN: to_cloud (Created by VPN wizard)"

set dstaddr "to_cloud_remote"

next

edit 3

set distance 254

set comment "VPN: to_cloud (Created by VPN wizard)"

set blackhole enable

set dstaddr "to_cloud_remote"

next

end

FGTA-1 # show firewall policy

config firewall policy

edit 1

set name "vpn_to_cloud_local"

set uuid ef98b6d8-41d9-51e9-20c5-7a31a66dd557

set srcintf "port4"

set dstintf "to_cloud"

set srcaddr "to_cloud_local"

set dstaddr "to_cloud_remote"

set action accept

set schedule "always"

set service "ALL"

set comments "VPN: to_cloud (Created by VPN wizard)"

next

edit 2

set name "vpn_to_cloud_remote"

set uuid ef9b260c-41d9-51e9-cf9c-0a082dc52660

set srcintf "to_cloud"

set dstintf "port4"

set srcaddr "to_cloud_remote"

set dstaddr "to_cloud_local"

set action accept

set schedule "always"

set service "ALL"

set comments "VPN: to_cloud (Created by VPN wizard)"

next

end

Configuring the Azure FortiGate

To configure the interface:

To configure the interface using the GUI, do the following:

  1. In FortiOS on the Azure FortiGate, go to Network > Interfaces.
  2. Edit port2. Set the role to LAN and set an IP/Network Mask of 10.58.1.4/255.255.255.0. This is for the interface connected to the Azure local subnet.

To configure the interfaces using the CLI, run the following commands:

FGT-Azure # show system interface port2

config system interface

edit "port2"

set vdom "root"

set ip 10.58.1.4 255.255.255.0

set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap ftm

set type physical

set snmp-index 2

next

end

To configure IPsec VPN:

To configure IPsec VPN using the GUI, do the following:

  1. Go to VPN > IPsec Wizard.
  2. Configure VPN Setup:
    1. Enter the desired VPN name. In the example, this is "to_local".
    2. For Template Type, select Site to Site.
    3. For the Remote Device Type, select FortiGate.
    4. For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local FortiGate has a public external IP address, you must choose No NAT between sites.
    5. Click Next.
  3. Configure Authentication:
    1. For Incoming Interface, select port1.
    2. Set the Authentication Method to Pre-shared Key.
    3. Enter a pre-shared key of 123456.
    4. Click Next.
  4. Configure Policy & Routing:
    1. For Local Interface, select port2.
    2. FortiOS automatically populates Local Subnets with 10.58.1.0/24.
    3. Set the Remote Subnets to 172.16.200.0/24, which is the local FortiGate's port4 subnet.
    4. For Internet Access, select None.
    5. Click Create.

To configure IPsec VPN using the CLI, run the following commands:

FGT-Azure # show vpn ipsec phase1-interface

config vpn ipsec phase1-interface

edit "to_local"

set type dynamic

set interface "port1"

set peertype any

set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set dpd on-idle

set comments "VPN: to_local (Created by VPN wizard)"

set wizard-type dialup-fortigate

set psksecret ENC xxxxxx

set dpd-retryinterval 60

next

end

FGT-Azure # show vpn ipsec phase2-interface

config vpn ipsec phase2-interface

edit "to_local"

set phase1name "to_local"

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set comments "VPN: to_local (Created by VPN wizard)"

set src-addr-type name

set dst-addr-type name

set src-name "to_local_local"

set dst-name "to_local_remote"

next

end

FGT-Azure # show firewall policy

config firewall policy

edit 1

set name "vpn_to_local_local"

set uuid 032b6000-41f4-51e9-acb8-b7e32128bb70

set srcintf "port2"

set dstintf "to_local"

set srcaddr "to_local_local"

set dstaddr "to_local_remote"

set action accept

set schedule "always"

set service "ALL"

set comments "VPN: to_local (Created by VPN wizard)"

next

edit 2

set name "vpn_to_local_remote"

set uuid 0343ee4a-41f4-51e9-a06a-d4a15d35a0a2

set srcintf "to_local"

set dstintf "port2"

set srcaddr "to_local_remote"

set dstaddr "to_local_local"

set action accept

set schedule "always"

set service "ALL"

set comments "VPN: to_local (Created by VPN wizard)"

next

end

To bring up the VPN tunnel on the local FortiGate:

The tunnel is down until you initiate connection from the local FortiGate.

  1. In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor.
  2. Click the to_cloud tunnel.
  3. Click Bring Up to bring up the VPN tunnel.
To verify the VPN tunnel on both the local FortiGate and the Azure FortiGate:
  1. In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor. It should look like the following:

  2. In FortiOS on the Azure FortiGate, go to Monitor > IPsec Monitor. It should look like the following:

To run diagnose commands:
  1. To show the local FortiGate's VPN status, run the following commands:

    FGTA-1 # diagnose vpn ike gateway list

    vd: root/0

    name: to_cloud

    version: 1

    interface: port5 13

    addr: 192.168.9.1:4500 -> 40.115.111.31:4500

    created: 1042s ago

    nat: me peer

    IKE SA: created 1/1 established 1/1 time 400/400/400 ms

    IPsec SA: created 1/1 established 1/1 time 130/130/130 ms

    id/spi: 365 cc00c782040e9ec9/e07668adc21bd6a7

    direction: initiator

    status: established 1042-1041s ago = 400ms

    proposal: aes128-sha256

    key: 2793ba055ddab07a-83c804230bffd8de

    lifetime/rekey: 86400/85058

    DPD sent/recv: 00000000/0000000a

    FGTA-1 # diagnose vpn tunnel list

    list all ipsec tunnel in vd 0

    ------------------------------------------------------

    name=to_cloud ver=1 serial=2 192.168.9.1:4500->40.115.111.31:4500 dst_mtu=1500

    bound_if=13 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

    proxyid_num=1 child_num=0 refcnt=11 ilast=18 olast=58 ad=/0

    stat: rxp=1 txp=2 rxb=16516 txb=16450

    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

    natt: mode=keepalive draft=32 interval=10 remote_port=4500

    proxyid=to_cloud proto=0 sa=1 ref=2 serial=1

    src: 0:172.16.200.0/255.255.255.0:0

    dst: 0:10.58.1.0/255.255.255.0:0

    SA: ref=6 options=10226 type=00 soft=0 mtu=1422 expire=42217/0B replaywin=2048

    seqno=3 esn=0 replaywin_lastseq=00000002 itn=0 qat=0

    life: type=01 bytes=0/0 timeout=42903/43200

    dec: spi=394f6923 esp=aes key=16 4ac11dd0916496e2e1edd610d83c7017

    ah=sha1 key=20 8d0c08ab1ed0d96ae29d521ed954a6bcc270f863

    enc: spi=5dc261b2 esp=aes key=16 c1b49a1251aa9bdb8b0ea205a687c794

    ah=sha1 key=20 0693c8988ef609bc410d6024e72e576366b53fef

    dec:pkts/bytes=1/16440, enc:pkts/bytes=2/16602

    npu_flag=03 npu_rgwy=40.115.111.31 npu_lgwy=192.168.9.1 npu_selid=1 dec_npuid=1 enc_npuid=1

  2. To show the Azure FortiGate's VPN status, run the following commands:

    FGT-Azure # diagnose vpn ike gateway list

    vd: root/0

    name: to_local_0

    version: 1

    interface: port1 3

    addr: 10.58.0.4:4500 -> 208.91.115.10:64916

    created: 1085s ago

    nat: me peer

    IKE SA: created 1/1 established 1/1 time 270/270/270 ms

    IPsec SA: created 1/1 established 1/1 time 140/140/140 ms

    id/spi: 0 cc00c782040e9ec9/e07668adc21bd6a7

    direction: responder

    status: established 1085-1084s ago = 270ms

    proposal: aes128-sha256

    key: 2793ba055ddab07a-83c804230bffd8de

    lifetime/rekey: 86400/85045

    DPD sent/recv: 0000000b/00000000

    FGT-Azure # diagnose vpn tunnel list

    list all ipsec tunnel in vd 0

    ------------------------------------------------------

    name=to_local ver=1 serial=1 10.58.0.4:0->0.0.0.0:0 dst_mtu=0

    bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

    proxyid_num=0 child_num=1 refcnt=11 ilast=1096 olast=1096 ad=/0

    stat: rxp=0 txp=0 rxb=0 txb=0

    dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0

    natt: mode=none draft=0 interval=0 remote_port=0

    ------------------------------------------------------

    name=to_local_0 ver=1 serial=2 10.58.0.4:4500->208.91.115.10:64916 dst_mtu=1500

    bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/976 options[03d0]=create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1

    parent=to_local index=0

    proxyid_num=1 child_num=0 refcnt=14 ilast=38 olast=38 ad=/0

    stat: rxp=334 txp=334 rxb=53440 txb=28056

    dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=11

    natt: mode=keepalive draft=32 interval=10 remote_port=64916

    proxyid=to_local proto=0 sa=1 ref=2 serial=1 add-route

    src: 0:10.58.1.0/255.255.255.0:0

    dst: 0:172.16.200.0/255.255.255.0:0

    SA: ref=3 options=282 type=00 soft=0 mtu=1422 expire=42460/0B replaywin=2048

    seqno=14f esn=0 replaywin_lastseq=0000014f itn=0 qat=0

    life: type=01 bytes=0/0 timeout=43187/43200

    dec: spi=5dc261b2 esp=aes key=16 c1b49a1251aa9bdb8b0ea205a687c794

    ah=sha1 key=20 0693c8988ef609bc410d6024e72e576366b53fef

    enc: spi=394f6923 esp=aes key=16 4ac11dd0916496e2e1edd610d83c7017

    ah=sha1 key=20 8d0c08ab1ed0d96ae29d521ed954a6bcc270f863

    dec:pkts/bytes=334/28056, enc:pkts/bytes=334/53440