Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aorozco
Staff
Staff

Created on ‎08-07-2014 03:19 PM Edited on ‎12-02-2024 10:17 PM By Community Manager

Article Id 198006

Technical Tip: VPN site-to-site between a FortiGate and Microsoft Azure VPN

Description

 

This article describes how to set up an IPSec VPN tunnel between a FortiGate device and Microsoft Azure VPN to access Azure cloud service.

 

Scope

 

FortiGate.

Solution

 

  1. Create firewall address objects referencing internal and Azure networks:

 

config firewall address
    edit "MyAzureNetwork"
        set subnet 192.168.10.0 255.255.255.0
    next
    edit "MyPrivateLAN"
        set associated-Interface "internal"
        set subnet 192.168.0.0 255.255.255.0
    next
end

Note:

Be aware that the associated interface for the private segment might be different than the internal (i.e. port1, lan, internal1, etc).

 

  1. Configure IPSEC VPN phase1 at FortiGate (IPsec interface mode):


config vpn ipsec phase1-interface
    edit "ToAzure"
        set interface "wan1"
        set proposal aes256-sha1
        set dhgrp 2
        set keylife 28800
        set remote-gw 23.100.120.46
        set psksecret <pre-share-key>
        set dpd enable

        set dpd-retryinterval 10
    next
end

Note:

Be aware that the remote.gw must be the Azure gateway got from Azure's configuration environment.

 

  1. Configure the IPsec VPN phase2 at FortiGate:


config vpn ipsec phase2-interface
    edit "P2-Azure"
        set phase1name "ToAzure"       
        set keepalive enable
        set keylife-type both
        set keylifeseconds 3600
        set keylifekbs 102400000
        set proposal aes128-sha1
        set ( src-addr-type name | src-subnet 192.168.0.0 255.255.255.0 )
        set ( dst-addr-type name | dst-subnet 192.168.10.0 255.255.255.0 )
    next
end

Note:

Be aware that the information in brackets [ ] means you must choose either name or define the subnet.

 

  1. Add a static route:


config router static
    edit 21
        set device "ToAzure"
        set dst 192.168.10.0 255.255.255.0
    next
end

  1. Create firewall security policies:


config firewall policy
    edit 5
        set srcintf "internal"
        set dstintf "ToAzure"
        set srcaddr "MyPrivateLAN"            
        set dstaddr "MyAzureNetwork"            
        set action accept
        set schedule "always"
        set service "ANY"            
        set logtraffic enable
    next
    edit 6
        set srcintf "ToAzure"
        set dstintf "internal"
        set srcaddr "MyAzureNetwork"            
        set dstaddr "MyPrivateLAN"            
        set action accept
        set schedule "always"
        set service "ANY"            
        set logtraffic enable
    next   
end

 

  1. Adjust the size of TCP MSS, if FortiGate need to form BGP neighborship with Azure VPN via the tunnel:

 

config system interface
    edit "ToAzure"
         set ip 10.1.254.1 255.255.255.255 <<== include the IP@ in IPSEC phase-2 TS
         set tcp-mss 1350
         set remote-ip 172.0.0.254 255.255.255.255 <<== include the IP@ in IPSEC phase-2 TS
end


Related document:
Connecting a local FortiGate to an Azure VNet VPN 

Labels:
14830
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.