Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jlim11
Staff
Staff

Created on ‎10-01-2024 10:43 PM

Article Id 346047

Technical Tip: How to configure an IP address on the IPSEC tunnel to Azure VPN

Description

This article describes how to configure an IP address on the IPSEC tunnel pointing to Azure which can be helpful when FortiGate needs to connect to a VM or resource hosted on Azure.

The VPN tunnel is already up and working and other configurations required is in place (Static routes, Firewall Policy, etc): Connecting a local FortiGate to an Azure VNet VPN

For some FortiGate to Azure VPN setup, BGP is not required. So there will be no IP address configured on the IPSEC tunnel. Only static routing pointing to the IPSEC tunnel is configured on the FortiGate, just like the setup for this example:


static route.PNG


If the IPSEC tunnel does not have an IP address configured, and FortiGate tries to connect to a resource which is reachable through that VPN tunnel, the source IP address that will be used for that self-originating traffic is the IP address from the interface list which has the lowest index number. 

 

index list.PNG

 

sniffer not working.PNG


The ping traffic will work if the 'source-ip' option is enabled 'execute ping-option source <ip>', since the local IP address or network of FortiGate is defined on the Azure side.

However, For self-originating traffic like configuration backup 'execute config backup', the source IP address cannot be set.
Setting the IP address on the IPSEC tunnel is an option to make the traffic work.
Scope FortiGate v7.2 and below
Solution
  1. Configure the IP address on the IPSEC tunnel:

 

2. FG GUI interface sttings.PNG

 
Note:

For this setup example, the phase2-selectors subnet is configured 0.0.0.0/0 for source and destination on the FortiGate. 
If the setup has specific network specified for the phase2-selectors, then the IP address added on this IPSEC tunnel needs to be added also on the phase2-selectors.

 

  1. Add the IP address or network(which is configured on the FortiGate's IPSEC tunnel) on the Address Space configuration of the Azure's Local Network Gateway settings.

 

3. Lnet gw address space settings.PNG

 

After the configuration above, FortiGate now uses the IP address configured on the IPSEC tunnel as the source IP when reaching the VM on the Azure.


5. ping and backup ftp.PNG

 

4. sniffer.PNG

 

If necessary, Check the Network Security Group applied on the VM hosted in Azure and Endpoint Firewall(if enabled) to allow the traffic as well.


Related articles:
Technical Tip: Configuring FortiGate to send traffic to a remote server through an IPsec VPN without...

Technical Tip: Configure IP address on an IPSec tunnel interface

Troubleshooting Tip: Unable to backup FortiGate config to external FTP server: 'Send config file to ...

Technical Tip: Self-originating traffic over IPSec VPN (For example ping)
220
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.