Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
burtmianus
New Contributor II

Azure Fortigate Configuration

Hola,

 

So we're about to buy 3 x 4-core Fortigate VMs in Azure (I have the custom json file to make the right ones as it's not a azure Marketplace option yet), and have ninja'd a 30 day license off our SE (in fact this is my third).

 

It seems that my first attempt at deploying these things was a fluke, as my latest attempt has turned into a failure.... so I am hoping that someone out there has had success in using Azure and Fortigate together....

 

Here's what I'm doing:

 

Have deployed the Fortigate VM in Azure using the defaults that you get given (load balancer, 2 public IPs [linux machine and load balancer front end], linux vm, NICs, user defined routing etc.) and i have logged in, changed admin port, successfully added it to our fortimanager and imported a rudminetary policy.

 

I then tried to add it to our VPN Mesh, this is where it fell over - something in the Azure half of this is confusing the hell out of me, so what I am looking for is someone who has used Fortigate Azure VM to VPN to another Fortigate and knows the nuances that using Azure's platform provides (i.e. the NICs are DHCP, which public IP to use, what IP to set as local gateway in the vpn config etc.).

 

So if you can help please do, don't just point me to the "VPN to Azure" article as that isn't it!

 

Thanks

 

Chris

 

1 REPLY 1
emnoc
Esteemed Contributor III

Will if you gotten this far you should be almost at home base. Lesson I learned build site2site to azure non-FGT

 

IKEv2 baby yes IKEv2

 if your doing ipsec LAN2LAN  ( assumption you are ) than you need to  t-shoot the proposal and negoiation with  the remote-peer

 

It ( AzueFGT-VM ) is pretty much the same as any FGT, you should not have the many obstacles imho. The portal for native  IPSEC  is very basic , as much so as GOOG compute.

 

set and define your phase1/2 ( 0.0.0.0/0:0 )  and fwpolices

 

 

Here's what I configured on the  headend  FGT that was nailed to azure instance.

 

 

config vpn ipsec phase1-interface      edit  FGT2AZURE                     set interface wan1                          set ike-version 2          set dhgrp 2          set proposal aes128-sha1 aes256-sha1          set remote-gw <x.x.x.)          set psksecret ourstrongkeyhere      next  end onfig vpn ipsec phase2-interface      edit  FGT2AZUREP2              set keepalive enable          set keylife-type both          set pfs disable          set phase1name FGT2AZURE          set proposal aes128-sha1 aes256-sha1          set keylifeseconds 3600      next  end ( don't forget static routes and +fwpolicies )

 

On the  MS AZURE side we used the following;

 

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-p...

 

So you will have to extract that howto to apply on the FGT in azure.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors