Azure IPsec VPN with FG-60E running Fortios 5.4 from child VDOM

Question

Has anyone successfully set up an IPsec VPN with an Azure VPN gateway (route or policy based) using Fortios 5.4 connected to a child VDOM?

I have a FG-60E in a multiple VDOM configuration where the root VDOM is utilized for management only, and two additional VDOMs acting as security zones separating two network infrastructures. Both child VDOMs are configured as Route/NAT VDOMs. All internet traffic flows thru the wan1 interface in the root VDOM. I only have one external IP address available for use for internet connectivity.

I need to set up an Azure IPsec VPN with one of the child VDOMs. I have followed the instructions at http://cookbook.fortinet.com/ipsec-vpn-microsoft-azure-54 to set up a IPsec VPN in the root VDOM, with what modifications I believe are necessary to get the VPN traffic to/from the child VDOM. However the tunnel never connects.

I am pondering alternatives such as routing VPN traffic to/from the child VDOM thru a new transparent VDOM. But I will admit that at this point I am simply spitballing potential solutions.

Anyone have any viable solutions?

Regards,

Scott

csweisler · Answer

From a practical standpoint, this issue is resolved. The problem turned out to be an incorrect gateway address on the Azure side. Once the correct azure gateway address was used to build the IPsec tunnel, the tunnel came online.

The only change/addition from the Fortinet cookbook article listed above was to create address objects and firewall rules (ahem, IPv4 Policy address objects and rules) on both the root VDom and the child VDom allowing the tunnel traffic inbound and outbound.

I still have an outstanding question on using the child VDom as the tunnel termination point rather than the root VDom. Is that a possibility?

Thanks,

Scott

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded