Description |
This article describes how to implement a Site-to-Site VPN between Microsoft Azure Virtual Network Gateway and FortiGate. This article will be in 2 parts: The Azure setup and the FortiGate’s. |
Scope | FortiGate. |
Solution |
Azure: A 'resource group' will be necessary, unless there is already one in Azure and willing to use it, but if not, create one (it is pretty straightforward). By the way, resource group in Azure allows to manage all the resources in an application together. For this demonstration, I will create 'a resource group' called SampleRG. To create a 'resource group' select 'create a resource' under Azure services and search the name of the resource and begin filling in the required data. Once done filling, review/validate it and then select 'Create'.
There is now a 'resource group', it is necessary to create 5 more resources to deploy S2S VPN: As stated before, to create any resource, select 'create a resource' under Azure services search for the name of the resource and begin filling in the required data.
Here are the 5 needed:
Virtual Network (VN): VN creates a logically isolated section in Azure. Our VN here is named SampleVN.
Virtual Network Gateway (VNG): VNG is the software 'VPN device' for the Azure network. Use VNG together with a connection (this is created in step 5), to set up S2S VPN between Azure and FortiGate. The VNG here is name SampleVNG.
Local Network Gateway (LNG): LNG represents the FortiGate on Azure. It houses the remote FortiGate Public IP, and the LAN subnets behind on-premise FortiGate, to connect to Azure. The LNG name used here is SampleLNG
Public IP Address (PIP): Here a public IP named SamplePIP is created. This is the IP used by Azure in communicating with FortiGate over the Internet.
Connection: Connection is what Azure used to couple VNG and LNG together and define the IKE version as well as the IPSec/IKE policy. The name of the connection is Sample_IPSec_VPN.
See below:
Once the connection configuration is completed, it is possible to download its VPN configuration settings and probably send it to the Admin at the remote site (On-premise), so he knows exactly what to set on the end (Azure). If both ends are also managed, it can help to verify the settings match in case there are issues that need to be troubleshooted. Just select 'download configuration', then on 'device Vendor' choose generic. On 'device family', choose 'device parameter' and under Firmware version, choose 1.0, then download configuration. A text file with the S2S VPN settings is downloaded.
Similar to below:
Below is what the download file (.txt) looks like.
FortiGate: To configure the FortiGate: Just follow the normal FortiGate S2S VPN configuration, but ensure PFS is disabled under phase 2 and ensure the parameters matched on both FortiGate and Azure. It is possible to use CLI to deploy the FortiGate end. Do not forget to Firewall policy/and static route if the CLI is used.
See this sample config below:
Verification.
The VPN should be UP and green on FortiGate. It is possible to use the below command to check on FortiGate.
Phase1:
diagnose vpn ike gateway list name "Azure_VPN"
Phase2:
diagnose vpn tunnel list name "Azure_VPN"
The VPN status on Azure will show as connected.
Note: Microsoft advises the clamp TCP MSS at 1350, or adjust MTU the interface to 1400 byte for optimal experience.
Troubleshooting: It is possible to use below debug commandsto troubleshoot on FortiGate:
diagnose vpn ike log-filter dst-addr4 20.160.152.105 <----- Azure Public IP. diagnose debug application ike -1 diagnose debug enable diagnose vpn ike gateway list name "name" <----- To check phase 1 status.
# diagnose vpn tunnel list name "name" <----- To check phase 2 status.
Note: In v7.4.0, the 'diagnose vpn ike log-filter dst-addr4'command has been changed to'diagnose vpn ike log-filter rem-addr4', and Starting from v7.4.1, the 'diagnose vpn ike log-filter rem-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'. |