First of all, we've search for our problem on the forum but even if there were posts about it, we couldn't find any solution.
We're facing a problem right now regarding the VPN of our company.
Our devices :
- 2 x Fortigate 100F (HA) in HQ with 7.0.1 Firmware. - 1x FortiGate VM64-AZURE on Azure with 6.4.8 Firmware. - Forticlient VPN for remote users.
At the moment we have SSL and IPSec remote connections to HQ for remote users and everything works fine.
When we've added a platform on Azure Cloud as you can see on the topology below, we created an IPSec site to site VPN.
It's working fine for the users on the LAN and we've modified the firewall configuration for the SSL VPN so the remote users can access the Azure Cloud.
The problem is that we don't know how to do the same with the IPSec remote users as when we configure the remote IPSec tunnel, we can't chose the VPN (Azure) interface, only local interfaces can be added.
We've kind of replicated the topology in a lab and tried different approaches but still aren't able to make the IPSec remote => IPsec site to site connection to be successful.
I'd like to know if you could help us understand how to do the configuration, if it's even possible :).
Yes, we have split-tunnel enabled. I already had the Azure subnet on the Remote IPSec tunnel and the FW policies to point each directions.
So I tough the problem came from the IPsec site-to-site as it was already setup with the HQ but it didn't include the remote IPsec subnet. I wanted to add it to the existing address group but the address didn't show up.
So I deleted the VPN site-to-site and set it up again so I could add manually the remote IPsec subnet. I configured the FW policies accordingly and it's now working properly, I can access the Cloud from remote users.
There is one thing that annoy me : Why can't we add address to an existing address group made by the wizard from the IPsec tunnel?
*** I'm saying that because in our lab it's easy to delete and remake, but on the live network it's not the same and there are many subnets/FW rules and sometimes there is even a need to add new subnets.
*** I edit my answer even if I didn't post it yet. I have made an address group and there I could add any address I wanted, so next time I know that I don't have to delete the IPsec tunnel to add a subnet, but just replace the group made by the wizard by a new one.
If you have some good practice about that, I'm all ears though.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.