FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssteo
Staff
Staff
Article Id 336579
Description This article describes how to configure a policy-based IPsec tunnel from FortiGate to Azure cloud always up even if no traffic passes through the tunnel.
Scope FortiGate, Azure cloud.
Solution

IPsec tunnel is set but sometimes will go down when there is no traffic passing through the IPsec tunnel.

To avoid the tunnel going down without traffic passing through, it might be necessary to change the connection mode in Azure from 'InitiatorOnly' to 'Default'.

 

  1. FortiGate can configure policy-based IPsec tunnel based on the article below:
    Technical Tip: Enable 'Policy-Based IPsec VPN' configuration

 

  1. Follow the below link to configure the Azure policy based IPsec tunnel.

    Configure custom IPsec/IKE connection policies for S2S VPN and VNet-to-VNet: PowerShell

     

     

  2. After configuring IPsec in FortiGate and Azure, the IPsec tunnel will show up and will go down when there is no traffic passing through the tunnel.

     

     

  3. To make the tunnel always up even when no traffic passing through, change the connection mode to 'Default' from 'InitiatorOnly' in the Azure VPN gateway setting. The 'Default' connection mode means can be a responder which receives an IPsec request from other devices and Azure will reply to it or initiate the initial IPsec to another device.

    About VPN Gateway configuration settings