IPsec VPN to Microsoft Azure

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

The following recipe demonstrates how to configure a site-to-site IPsec VPN tunnel to Microsoft Azure™.

Using FortiOS 5.4, the example describes how to configure the tunnel between each site, avoiding overlapping subnets, so that a secure tunnel can be established.​​

PREP 10 mins      COOK 25 mins      TOTAL 35 mins

Ingredients

  • One (1) FortiGate with an Internet-facing IP address.
  • One (1) valid Microsoft Azure account.

Directions

1. Configuring the Microsoft Azure virtual network

Log into Microsoft Azure and click New. In the Search the marketplace field, type “Virtual Network”.

Locate Virtual Network from the returned list and click to open the Virtual Network blade.

Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create.

On the Create virtual network blade, fill in the values for your Virtual Network settings and click Create.

2. Specifying the Microsoft Azure DNS server

Open the virtual network you just created, navigate to DNS Servers, and click to open the DNS servers blade.

Enter the IP address of the DNS server and click Save at the top of the blade.

3. Creating the Microsoft Azure virtual network gateway

In the portal dashboard, go to New.

Search for “Virtual Network Gateway” and select it to open the Create virtual network gateway blade.

In the Create virtual network gateway blade, fill in the values for your virtual network gateway.

 

Create a Public IP address if necessary and click Create at the bottom.

Provisioning the virtual network gateway may take some time.

You will receive a notification about the deployment.

4. Creating the Microsoft Azure local network gateway

From the dashboard, select All resources.

Click +Add and then choose to See all.

 

In the Everything blade search box, type Local network gateway, and select Create local network gateway.

Set IP address to the local network gateway address (the FortiGate’s external IP address). 

Fill in the remaining values for your local network gateway and click Create.

5. Configuring the FortiGate tunnel

Go to VPN > IPsec Wizard.

Enter a Name for the tunnel, select Custom, and click Next.

Set the Remote Gateway to Static IP Address, and include the gateway IP Address provided by Microsoft Azure.

Set the Local Interface to wan1.

Disable NAT Traversal and set Dead Peer Detection to On Idle.

Under Authentication, enter a Pre-shared Key and ensure that you enable IKEv2.

 

Under Phase 1 Proposal set the Encryption algorithm to AES 128 and the Authentication algorithm to SHA256.

Select 2 for Diffie-Hellman Group.

Set Key Lifetime (seconds) to 28800.

Scroll down to Phase 2 Selectors and expand the Advanced section.

Set the Encryption type to match Phase 1.

Disable Perfect Forward Secrecy.

Set Key Lifetime Seconds to 27000.

6. Creating the Azure firewall object

Go to Policy & Objects > Addresses and create a firewall object for the Azure VPN tunnel subnet.

7. Creating the FortiGate firewall policies

Go to Policy & Objects > IPv4 Policy and create a new policy for the site-to-site connection that allows outgoing traffic.

Set the Source Address and Destination Address using the firewall objects you just created.

Ensure that NAT is disabled.

Create a second policy for the same connection to allow incoming traffic.

This time, invert the Source Address and Destination Address.

8. Creating the FortiGate static route

Go to Network > Static Routes and create a new static route forcing outgoing traffic destined to the Microsoft Azure network to flow through the route-based tunnel.

Set the Administrative Distance to a value lower than the value set for the existing default route.

9. Creating a Microsoft Azure Site-to-Site VPN connection

In the Azure portal, locate and select your virtual network gateway.

On the Settings blade, click Connections, and then click Add at the top of the blade to open the Add connection blade.

 

Fill in the values for your connection and click OK.

Make sure that the Shared Key (PSK) matches the shared key configured on the FortiGate in step 5.

10. Results

Go to Monitor > IPsec Monitor. You should see that the tunnel is UP.

If it is down, right-click the tunnel and select Bring Up.

Go to Log & Report > VPN Events

Select an entry to view more information and verify the connection.

Return to the Microsoft Azure portal, click All resources and navigate to your virtual network gateway.

On the blade for your virtual network gateway, click Connections. You can see the status of each connection.

Click the name of the connection that you want to verify to open Essentials.

In Essentials, you can view more information about your connection.

The Status is ‘Connected’ when you have made a successful connection.

Ingress and egress bytes confirm traffic flowing through the tunnel.

 

Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux

Latest posts by Keith Leroux (see all)

  • Was this helpful?
  • Yes   No
This prep time assumes the time it takes to create a Microsoft Azure account.
“Cook” time is largely dependent on Azure resource deployment times, which may vary.
All times listed are approximations.
Located under All Resources > MyMainGateway (Virtual network gateway) > Overview > Public IP address. Note that it may take some time for this address to populate.
If the tunnel fails to come up, begin troubleshooting by double-checking the encryption algorithm and PSK settings match on both ends for Phase 1 and Phase 2. For other troubleshooting tips, refer to IPsec VPN Troubleshooting.
  • Philippe Crete

    Hi, I have a question for a route based VPN. I’m working with a Fortigate 300D version 5.4.2 .We have . But I have 3 subnet in phase 2. The first subnet is ON all the time but the two other are down aftera couple of hrs.

    • cj-Anthony

      Did you ever get an answer for this Philippe? I have a similar issues where we have multiple Phase 2 selectors and we’re having a lot of issues with them staying up.

      • Philippe Crete

        Hi, Yes i’m still having issue with this… 🙁 If you find a solution for this let me know. I’ll do the same.

  • Pieter Smit

    On v5.4.x I get the VPN connected without errors but no traffic is getting passed between the VPN’s.
    Should we be entering Local and Remote Addresses under Phase 2 Selectors or left as is as per manual? And under the Azure Tunnel Interface be left as is or should the IP and Remote IP be put in under the Addressing Mode?