IPsec VPN to Microsoft Azure

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

The following recipe describes how to configure a site-to-site IPsec VPN tunnel. In this example, one site is behind a FortiGate and another site is hosted on Microsoft Azure™, for which you will need a valid Microsoft Azure account.

Using FortiOS 5.4, the example demonstrates how to configure the tunnel between each site, avoiding overlapping subnets, so that a secure tunnel can be established with your configured security policies.​​

1. Configuring the Microsoft Azure virtual network

Log into Microsoft Azure and click New. In the Search the marketplace field, type “Virtual Network”. Locate Virtual Network from the returned list and click to open the Virtual Network blade.

Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create.

On the Create virtual network blade, fill in the values for your Virtual Network settings and click Create.

2. Specifying the Microsoft Azure DNS server

On the Settings page for your virtual network, navigate to DNS Servers and click to open the DNS servers blade. Enter the IP address of the DNS server and click Save at the top of the blade.

3. Creating the Microsoft Azure virtual network gateway

In the portal, go to New. Type “Virtual Network Gateway” in search. Locate Virtual network gateway in the search return and click the entry. This opens the Create virtual network gateway blade.

Click Create at the bottom of the Virtual network gateway blade. The Create virtual network gateway blade will open. Fill in the values for your virtual network gateway and click Create.

4. Creating the Microsoft Azure local network gateway

 The ‘local network gateway’ refers to your on-premises location. Give the local network gateway a name by which Azure can refer to it.

In the portal, from All resources, click +Add. In the Everything blade search box, type Local network gateway, then click to search. This will return a list. Click Local network gateway to open the blade, then click Create to open the Create local network gateway blade.

Fill in the values for your local network gateway.

5. Configuring the FortiGate tunnel

Go to VPN > IPsec Wizard and select Custom.

Enter a Name for the tunnel and click Next.

Set the Remote Gateway to Static IP Address, and include the gateway IP Address provided by Microsoft Azure.

Set the Local Interface to wan1.

Disable NAT Transversal and Dead Peer Detection.

Under Authentication, enter a Pre-shared Key and ensure that you enable IKEv1.

Under Phase 1 Proposal set the Encryption algorithm to AES 128 and the Authentication algorithm to SHA1.

Select 2 for Diffie-Hellman Group.

capture12

Scroll down to Phase 2 Selectors and set Local Address to the local subnet and Remote Address to the VPN tunnel endpoint subnet (found under Virtual Network Address Spaces in Microsoft Azure).

Enable the encryption types to match Phase 1.

Disable Perfect Forward Secrecy.

6. Creating the FortiGate firewall addresses

Go to Policy & Objects> Addresses and configure a firewall address for the local network.

Create another firewall object for the Azure VPN tunnel subnet.

7. Creating the FortiGate firewall policies

Go to Policy & Objects > IPv4 Policy and create a new policy for the site-to-site connection that allows outgoing traffic

Set the Source Address and Destination Address using the firewall objects you just created. Make sure that NAT is disabled.

When you are done, create another policy for the same connection to allow incoming traffic.

This time, invert the Source Address and Destination Address.

8. Creating the FortiGate static route

Go to Network > Static Routes and create a new static route forcing outgoing traffic destined to the Microsoft Azure network to flow through the route based IPsec VPN tunnel by setting the Administrative Distance to a value lower than the value set for the existing default route.

9. Creating a Microsoft Azure Site-to-Site VPN connection

Locate your virtual network gateway and click All settings to open the Settings blade.

On the Settings blade, click Connections, and then click Add at the top of the blade to open the Add connection blade.

Fill in the values for your connection and click Create.

 Make sure that the Shared Key (PSK) matches the shared key configured earlier in FortiGate unit.

10. Results

Go to Monitor > IPsec Monitor. You see the tunnel is UP with incoming and outgoing Data.

Go to Log & Report > VPN Events

Select an entry to view more information and verify the connection.

Return to the Microsoft Azure portal, click All resources and navigate to your virtual network gateway.

On the blade for your virtual network gateway, click Connections. You can see the status of each connection.

Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is ‘Connected’ when you have made a successful connection. Ingress and egress bytes confirm traffic flowing through the tunnel.

 

Taher Elbar

Taher Elbar

Technical Product Specialist at Fortinet
After a Bachelor degree in Telecommunications from university of Geneva, Taher began his career in software development, then moved to System/Network administration followed by Security Support Engineer. With over 10 years of experience, Taher is writing various Technical documentation for Fortinet.
Taher Elbar
  • Was this helpful?
  • Yes   No
  • bdickie

    We have received conflicting information about this recipe from a number of sources so we are planning on re-doing it in the near future. Since it seems at least useful it will stay available while we are doing this.

    Our support team just shared this comment with us:

    ” I’ve encountered a couple of cases where the customer configured everything
    according the cookbook to configure the VPN tunnel between FortiGate and Azure.
    It seems in both the cases following changes had to be made to bring the
    tunnel up:

    IKE version had to be changed to 1

    PFS had to be disabled”

    • Keith Leroux

      The article has been updated to reflect this information.

  • Roberto Benassi

    You are great. I got that working in 15 minutes, no idea on how to get it working without your advice! Thanks.

  • Avi

    Followed the instructions, tunnel status says Connected but no traffic is actually flowing through. Has anyone seen this?

  • Bill Dickie

    We have received a number of comments about problems with this recipe. Based on these comments we are going to test and update it. Some of the changes that have been requested include:
    – Change phase 2 timeout to match Azure at 27000 seconds
    – Turn off PFS
    – Dead Peer Detection on Idle

  • Luca Belfiori

    Azure does not support PFS on Phase2 as initiator so it must disabled also on Fortigate side.
    After changing it my VPN works fine.

  • Andre van Niekerk

    Why would you need to adjust the metric (AD) of the route? (Step 8) Wouldn’t normal routing precedence result in the more specific routing being chosen?

  • Andrea Torresi

    Problems problems !
    The tunnel is up but if i ping or tracert to a vm started on azure doesn’t work.
    2 days ago working, but now without any changes doesn’t work… no change on azure no change on firewall.
    i checked the cookbook and i’ve done the same configuration…
    i can’t understand..

    • Taher Elbar

      Hi Andrea,
      Since it was working before and it doesn’t now with no changes, I suggest that you open a ticket with support.
      https://support.fortinet.com/
      Regards,
      Taher.

    • 積木 陳

      I had same problem with you….it confused me for lone time and didn’t find the solution yet.

      • Fox Molder

        Found the problem: isn’t about Fortgate, the problem is the router, don’t use DMZ to forward all ports to Fortigate wan, try specify only the single ipsec port: 500

  • Taher Elbar

    Hi Ygor,
    The new link for documentation is :
    https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
    Regards,
    Taher.

  • Zoton

    I was able to set this up and see in the gateway connections in the ARM portal that it is connected. I also see in the IPSec monitor in the Fortigate that the connection is up, but there is no traffic in or out. Where should I look to see what might be wrong?

    • Taher Elbar

      Hi Zoton,
      Good that you got the tunnel UP! Now, for in/out traffic via the tunnel, routes in both ends has to be set. In the FortiGate side, as described in step 8, the route has to be prioritized on the default internet route.
      To test that the route in the FortiGate is set correctly, you can run a trace route from a machine behind the FortiGate to a machine behind the Azure gateway and verify the path taken.
      Let me know the results.
      Regards,
      Taher.

      • Zoton

        I get this:
        Tracing route to 10.0.0.6 over a maximum of 30 hops

        1 <1 ms <1 ms <1 ms 192.168.0.1
        2 * * * Request timed out.

        I'm not clear how "the route has to be prioritized on the default internet route." from your reply.
        In the Static Route Settings the Priority, under Advanced Options, is set to 0. Is that what it should be?

        • Taher Elbar

          Hi Zoton,
          Good to hear that is working!
          Now if after few minutes, in the ARM shows “Connecting”, can you look for the error message received in the FortiGate, under Log & Report > VPN Events, and post it here.
          Regards,
          Taher.

          • Zoton

            Here are the two most recent:

            Date 12/13/2016
            Time 21:30:47
            Virtual Domain root
            Log Description Progress IPsec phase 1

            Source
            Local IP 45.22.50.105
            User N/A
            Group N/A
            XAUTH User N/A
            XAUTH Group N/A

            Action
            Action negotiate
            Status failure
            Result ERROR

            Security
            Level

            Event
            Assigned IP N/A
            Cookies 4f685caefe1ac3e1/0000000000000000
            Direction inbound
            Local Port 500
            Outgoing Interface wan1
            Remote IP 13.92.34.16
            Remote Port 500
            Role responder
            VPN Tunnel N/A
            Message progress IPsec phase 1

            —————————————————————————————-

            Date 12/13/2016
            Time 21:30:47
            Virtual Domain root
            Log Description IPsec phase 1 error

            Source
            Local IP 45.22.50.105
            User N/A
            Group N/A
            XAUTH User N/A
            XAUTH Group N/A

            Action
            Action negotiate
            Status negotiate_error
            Reason peer SA proposal not match local policy

            Security
            Level

            Event
            Assigned IP N/A
            Cookies 4f685caefe1ac3e1/0000000000000000
            Local Port 500
            Outgoing Interface wan1
            Remote IP 13.92.34.16
            Remote Port 500
            VPN Tunnel N/A
            Message IPsec phase 1 error

          • Taher Elbar

            Ok, this seems to be the same message generated on 12/13/2016 @ 21:30:47, since yesterday is the problem happen again?
            Taher.

          • Zoton

            This is all it will show. It doesn’t seem to be logging much. We are new to Fortigate, having just replaced our Forefront TMG.

            But yes, it is still continuing.

          • Taher Elbar

            If the problem happen again, change Phase 1 lifetime to 10800.
            Let me know the results.
            Taher.

          • Zoton

            Here are my settings. It has disconnected again in less time than 10800 seconds. But even 10800 seconds is 3 hours. I need this tunnel to stay connected 24/365. Also, I rebooted the Fortigate and now I do not see any VPN Events under Log & Report.

            https://uploads.disquscdn.com/images/8f9691d892faa856a956a82f07d1f53c061aac57a13081cdc931dbe072d5916c.png

            https://uploads.disquscdn.com/images/83f963f911be237e95803271ee69ff8d1540733b84b4936a6795847c6efce364.png

          • Taher Elbar

            The Phase 1 lifetime is for encryption key negotiation (rekeying), it does not mean the time that the tunnel should be up. So now, since you rebooted the FortiGate and it seams to be not disconnected, then I presume that the issue was not related to Phase1 lifetime value.
            FYI: Phase 1 lifetime is a value that both peers (FortiGate and Azure) should support and agree upon for successful rekeying.

            Keep me posted if the problem reoccur.
            Regards,
            Taher.

          • Zoton

            It went down and I got this in VPN events

            Date 12/14/2016
            Time 15:19:10
            Virtual Domain root
            Log Description IPsec ESP

            Source
            Local IP 45.22.50.105
            User N/A
            Group N/A
            XAUTH User N/A
            XAUTH Group N/A

            Action
            Action error
            Status esp_error

            Security
            Level

            Event
            Assigned IP N/A
            Cookies 09461964b74449c6/e590f9e58229c5b6
            Local Port 500
            Outgoing Interface wan1
            Remote IP 13.92.34.16
            Remote Port 500
            VPN Tunnel N/A
            Message IPsec ESP error

          • Taher Elbar

            Thanks for providing this, as you see the error message is “IPsec ESP error” which in most of the case due to the instability of the Internet link or a key mismatch – more information here:
            http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33101&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=98240525&stateId=0 0 98238716

            Now, I wanted to ask you to put the phase 1 lifetime to 10800 and Phase 2 to 3600 (those are the value that Azure recommend for rekeying) and monitor that.

            Please update me with the next error message – if there is any – I hope not.
            Regards,
            Taher.

          • Zoton

            Thank you so much for your advice. I had a S2S between my local network and my Azure VNet with Forefront TMG and it never went down. Ever. I don’t say this to imply TMG is better, but as a troubleshooting baseline: the internet link was the same with that firewall. You said “or a key mismatch”, so I will change the phase I and phase II lifetimes. Again, thank you.

          • Zoton

            I have Phase I and II set to the values from your previous reply. I am running a continuous ping and I see that the tunnel goes down after 1 hour (3600 seconds) and then comes back up after one hour. It does this every hour.

  • Jokin Astobiza

    Hello! Thank you very much for this cookbook, I would never be able to do it without all these details!
    For the record, I had to use Azure’s NEW interface, doing everything (tried twice) with the classic interface I couldn’t get it to connect.

    Fortigate 100D on v5.2.9

    • Taher Elbar

      You’re very welcome!
      Taher.

  • Geert

    Hi, i have the vpn working but at a certain moment the tunnel fails and it gives me this error

    date=2016-11-24 time=21:21:02 devname=**** devid=******** logid=0101037194 type=event subtype=vpn level=error vd=root logdesc=”Progress IPsec phase 2″ msg=”progress IPsec phase 2″ action=negotiate remip=****** locip=**** remport=500 locport=500 outintf=”wan1″ cookies=”3318d70e30527523/1ca251d1993d64c0″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”site******” status=failure init=local exch=CREATE_CHILD dir=inbound role=initiator result=ERROR version=IKEv2

    Then when i do a change to the death pool detection (which i disabled) the tunnel is running again without any errors,

    • Taher Elbar

      Hi Geert,

      Do you mean when you disabled “Replay Detection” in FortiGate’s phase 2 ?

      Regards,
      Taher.

    • rikeman

      where you able to determine and fix this issue? i think i am having the same issue and wanted to check if you were able to get this resolved.

      • Moi

        Hi Rikeman any solution? same problem here?

    • Moi

      same here. Any solution?

  • Venkata Praneeth Reddy Palukur

    Hello Taher,

    Thanks for the documentation for Fortigate 5.4. The only thing that’s missing are the lifetimes. Should we use specific lifetimes for Microsoft Azure or can we use the default ones?

    • Taher Elbar

      Hi Venkata,
      Default works great.
      Regards,
      Taher.

    • Jaro Stolicny

      I am curious about this too… I consider this as quite important parameter.

      • Kerrie Newton

        Hello Venkata and Jaro,

        Below are some troubleshooting steps you may want to try:

        – Change Phase 2 timeout to match Azure – 27000 seconds
        – Disable PFS (Perfect Forward Secrecy)
        – Set DPD (Dead Peer Detection) to Idle

        Regards,
        Kerrie

    • Kerrie Newton

      Hello Venkata,

      Use the lifetimes specified by Azure.

      Regards,
      Kerrie