FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aorozco
Staff
Staff
Description
How to setup an IPSec VPN tunnel between a FortiGate device and Microsoft Azure cloud service.

Solution
1. Create firewall address objects referencing internal and azure networks.

config firewall address
    edit "MyAzureNetwork"
        set subnet 192.168.10.0 255.255.255.0
    next
    edit "MyPrivateLAN"
        set associated-Interface "internal"
        set subnet 192.168.0.0 255.255.255.0
    next
end

NOTE: Be aware that the associated interface for the private segment might be different than internal (i.e. port1, lan, internal1, etc).

2. Create the phase1 (ipsec interface mode)

config vpn ipsec phase1-interface
    edit "ToAzure"
        set interface "wan1"
        set proposal aes256-sha1
        set dhgrp 2
        set keylife 28800
        set remote-gw 23.100.120.46
        set psksecret ENC eXcOpXVMlNs8ikaCME1pNCdQFE1W82Dy
        set dpd enable
    next
end

NOTE: Be aware that the remote.gw must be the Azure gateway you got from Azure's configuration environment.

3. Create the phase2

config vpn ipsec phase2-interface
    edit "P2-Azure"
        set phase1name "ToAzure"       
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set proposal aes128-sha1
        set ( src-addr-type name | src-subnet 192.168.0.0 255.255.255.0 )
        set ( dst-addr-type name | dst-subnet 192.168.10.0 255.255.255.0 )
    next
end

NOTE: Be aware that the information in brackets [ ] means you must choose either name or defining the subnet.

4. Add a static route

config router static
    edit 21
        set device "ToAzure"
        set dst 192.168.10.0 255.255.255.0
    next
end

5. Create firewall security policies

config firewall policy
    edit 5
        set srcintf "internal"
        set dstintf "ToAzure"
        set srcaddr "MyPrivateLAN"            
        set dstaddr "MyAzureNetwork"            
        set action accept
        set schedule "always"
        set service "ANY"            
        set logtraffic enable
    next
    edit 6
        set srcintf "ToAzure"
        set dstintf "internal"
        set srcaddr "MyAzureNetwork"            
        set dstaddr "MyPrivateLAN"            
        set action accept
        set schedule "always"
        set service "ANY"            
        set logtraffic enable
    next   
end

REFERENCE:
http://www.burkard.it/2013/09/create-site-to-site-vpn-with-fortigate-to-microsoft-azure/

Contributors