Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
benoitf
New Contributor

VIP Azure VPN

Hi,

I have a Fortigate 200D (5.6.7) with Public IP addresses mapped to multiple servers using VIPs. We are currently implementing an Azure replication site and we were able to create a VPN connection to Azure and everything works fine, we have access from the Inside interface to our servers who are replicated.

Now, we want to be able to access the replicated servers services through our public IP addresses configured on the Fortigate. The idea is if our servers are down but our Fortigate is UP, we want to be able to turn on the servers in Azure and still use our Public IPs.

I created a VIP mapping to a server on our Azure VPN like I would for the servers situated in the Inside interface but it doesn’t seems to work. I see some traffic going from the outside interface to the Azure VPN interface and after that nothing.

Did someone already tried this?

What I did was:

[ol]
  • Create a VIP with one of our public IP on the outside interface mapped to the IP of the server in the Azure VPN interface.
  • Create a policy from the Outside interface to the Azure VPN interface using the VIP. (NAT disabled)
  • Add the public IP in the phase 2 local subnet on the VPN on the Fortigate.
  • Add the public IP in the Azure subnet VPN configuration.[/ol]

    Thank you.

  • 3 REPLIES 3
    Toshi_Esumi
    Esteemed Contributor III

    I don't know how Azure's VPN work but am assuming an IPSec VPN. Then likely the tunnel is not built to pass traffic sourced from the internet. VIP changes the destination (DNAT) but not source (SNAT). Besides, even if it had passed the tunnel the returning traffic from the Azure server toward the internet, I assume, wouldn't come back through the tunnel.

    So I would set a proper IP that would pass the tunnel on the Azure vpn interface on the FGT side, and set NAT(SNAT) on the policy that you applied the VIP.

    benoitf

    Yes, it’s an IPSec VPN. When you say to set a proper IP that would pass the tunnel on the Azure vpn interface do you mean to set the "IP" field in the Azure VPN interface to an IP in the subnet of the azure vpn interface?

    Toshi_Esumi
    Esteemed Contributor III

    I have no knowledge on Azure side for any vpns. I was talking about the vpn interface IP on the FGT side. I'm assuming it's an interface mode IPsec on that side, and the IP you might already have or will have needs to be within the phase2 selectors. Otherwise sourcing that IP by NATing wouldn't make any difference.

    Labels
    Top Kudoed Authors