FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff
Staff
Article Id 229691
Description

This article describes how to implement Site-to-Site VPN between Microsoft Azure Virtual Network Gateway and FortiGate.

This article will be in 2 parts: The Azure setup and the FortiGate’s.

Scope FortiGate v6.4, v7.0 and v7.2.
Solution

 

fwilliams_0-1668264621140.png

 

PART 1 (Azure).

 

A 'resource group' will be necessary, unless there is already one in Azure and willing to use it, but if not, create one (it is pretty straightforward).

By the way, resource group in Azure allows to manage all the resources in an application together. 

For this demonstration, I will create 'a resource group' called SampleRG.

To create a 'resource group' select 'create a resource' under Azure services and search the name of the resource and begin filling in the required data.

Once done filling, review/validate it and then select 'Create'.

 

fwilliams_14-1668265906569.png

 

 

fwilliams_1-1668264665531.png

 

Now that there is a 'resource group', it is necessary to create 5 more resources to deploy S2S VPN:

As stated before, to create any resource, select 'create a resource' under Azure services and search for the name of the resource and begin filling in the required data.

 

Here are the 5 needed:

 

1) Virtual Network (VN).

VN creates a logically isolated section in Azure. Our VN here is named SampleVN.

 

fwilliams_2-1668264712934.png

 

 2) Virtual Network Gateway (VNG).

VNG is the software 'VPN device' for Azure network. Use VNG together with a connection (this is created in step 5), to set up S2S VPN between Azure and FortiGate. The VNG here is name SampleVNG.

 

fwilliams_3-1668264745247.png

 

3) Local Network Gateway (LNG).

LNG represents the FortiGate on Azure. It houses the remote FortiGate Public IP, and the LAN subnets behind on-premise FortiGate, to connect to Azure. The LNG name used here is SampleLNG

 

fwilliams_4-1668264765479.png

 

4) Public IP Address (PIP).

Here a public IP named SamplePIP is created. This is the IP used by Azure in communicating with FortiGate over the Internet.

 

fwilliams_5-1668264958055.png

 

5) Connection .

Connection is what Azure used to couple VNG and LNG together, and define the IKE version as well as the IPSec/IKE policy. The name of the connection is Sample_IPSec_VPN.

 

See below:

 

 

fwilliams_7-1668264986773.png

 

 fwilliams_6-1668264976819.png

 

Once the connection configuration is completed, it is possible to download its VPN configuration settings and probably send it to the Admin at the remote site (On premise), so he knows exactly what to set on the end (Azure).

If both ends are also managed, it can help to verify the settings match in case there are issues that need to be troubleshooted.

Just select 'download configuration', then on 'device Vendor' choose generic. On 'device family', choose 'device parameter' and under Firmware version, choose 1.0, then download configuration. 

A text file with the S2S VPN settings is downloaded.

 

Similar to below:

 

fwilliams_8-1668265007886.png

 

Below is what the download file (.txt) looks like.

 

fwilliams_9-1668265026636.png

 

PART 2 (FortiGate).

 

To configure the FortiGate: Just follow the normal FortiGate S2S VPN configuration, but ensure PFS is disabled under phase2 and ensure the parameters matched on both FortiGate and Azure.

It is possible to use CLI to deploy the FortiGate end.

Do not forget to Firewall policy/and static route if the CLI is used.

 

See this sample config below:

 

fwilliams_10-1668265068443.png

 

Verification.

 

The VPN should be UP and green on FortiGate.

It is possible to use the below command to check on FortiGate.

 

Phase1:

 

# diagnose vpn ike gateway list name "Azure_VPN"

 

fwilliams_11-1668265088829.png

 

Phase2:

 

# diagnose vpn tunnel list name "Azure_VPN"

 

fwilliams_12-1668265108352.png

 

The VPN status on Azure will show as connected.

 

fwilliams_13-1668265131777.png

 

Note.

Microsoft advises the clamp TCP MSS at 1350, or adjust MTU the interface to 1400 byte for optimal experience.

 

Troubleshooting:

 

It is possible to use below debug commandsto troubleshoot on FortiGate:

 

# diagnose vpn ike log-filter dst-addr4 20.160.152.105 <----- Azure Public IP.

 

# diagnose debug application ike -1

 

# diagnose debug enable

 

# diagnose vpn ike gateway list name "name" <----- To check phase 1 status.

 

# diagnose vpn tunnel list name "name" <----- To check phase 2 status.

Contributors