Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JakeBlues
New Contributor

Fortigate VM64-AZURE VPN IPSEC connection to other Azure vNETs

Hi all,

 

I'm trying out Fortigate VM64-AZURE on Azure.

 

My task is to have it as IPsec VPN terminator which allows authorized clients to connect to some Azure vNets that are in peering with VM64 Vnet.

 

Fortigate is in its own Vnet (call it FwvNet), and clients connect to this vnet without problems, i.e. I've put a test vm in the internal vnet, and clients can ping it, ssh and whatever.

 

I've put in peering FwvNet with another vNet, say AppvNet.

From the test machine I can ping VMs on Appvnet, but from the IPsec clients I can't. 

 

What am I missing?

 

Thanks for your help

1 Solution
pa_iva
New Contributor II

Hi Jakeblues,

 

The APIPA address as first hop is ok, it's just an IP automatically assigned to the virtual tunnel interface.

 

One thing I noticed, the client is getting the IP 10.254.0.224, but on the last test you say that:

 


@JakeBlues wrote:

 

There's another odd behaviour: If I ping a VM on the same vNet of Fortigate's internal port, I can do it.

If I do a traceroute on it I get

 

Traccia instradamento verso 10.254.0.5 su un massimo di 30 punti di passaggio

1 23 ms 23 ms 23 ms 169.254.1.1
2 33 ms 25 ms 24 ms 10.254.0.5

 


So, it seems that for the Client Address Range, you're using the same subnet that is also a direcly connected network to the Fortigate at Azure (internal port). This will lead to some routing issues, the client address pool should be in a range that is not currently in use. Can you please verify this and post the output of your full routing table?

 

get router info routing table all

get router info routing table database

 

 

 

View solution in original post

10 REPLIES 10
pa_iva
New Contributor II

Hi,

 

Yes that could potentiantly lead to some routing issues altough the client has a /32, namelly if there's another VM in the Internal port that has an overlapping address.

 

Can you try to change the Client Address Range to something else that's not in use? Like 192.168.250.1-192.168.250.254.

 

 

 

 

 

 

Labels
Top Kudoed Authors