Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tony85
New Contributor

vpn site-to-site fortigate to Azure

Hi Guys, i need to configure a vpn site-to-site between Fortigate100E in HA and Azure . The Fortigate is set with 2 wans in load balancing .

I want to know how to configure this vpn from the Firewall with two wans to Azure Cloud , in such a way that to have a high reliability of the vpn (in case one of the line is down  the vpn is routed to the other active line) .

 

Firmware version of two firewalls is 6.0.2

thanks for your support 

Antonio

 

 

1 Solution
Eleguardini
New Contributor II

Hi tony85,

in my environment (dealing with two fortigates) what I did to configure a vpn failover is configuring two identical vpns (on the fortigate side), one with interface set to wan1 and the other with wan2.

Once done that, if you edit the backup vpn through the cli, there is a setting "set monitor ' '" which allows you to set the failover vpn in monitor mode with respect to the other one. 

So for example:

- VPN-Headquarter (wan1)

- VPN-Backup (wan2)

Enter the cli:

- config vpn ipsec phase1-interface

- edit VPN-Backup

- set monitor 'VPN-Headquarter'

-end

Done that, you will se up only the primary one. If the wan1 interface goes down, the backup one will come up.

Hopefully this configuration will help you.

Eleonora

 

View solution in original post

7 REPLIES 7
Eleguardini
New Contributor II

Hi tony85,

in my environment (dealing with two fortigates) what I did to configure a vpn failover is configuring two identical vpns (on the fortigate side), one with interface set to wan1 and the other with wan2.

Once done that, if you edit the backup vpn through the cli, there is a setting "set monitor ' '" which allows you to set the failover vpn in monitor mode with respect to the other one. 

So for example:

- VPN-Headquarter (wan1)

- VPN-Backup (wan2)

Enter the cli:

- config vpn ipsec phase1-interface

- edit VPN-Backup

- set monitor 'VPN-Headquarter'

-end

Done that, you will se up only the primary one. If the wan1 interface goes down, the backup one will come up.

Hopefully this configuration will help you.

Eleonora

 
tony85

Hi Eleonora, thanks for your help.

On the remote site, have you also indicate the second pubblic ip of the WAN2 (VPN-Backup ) ?

 

thanks

 

 

 

 
Eleguardini
New Contributor II

Yes. Actually now that I thought about it, it worked also between a Fortigate and a PFSense. I've configured the same two vpns on the PFSense, one for the headquarter and one for backup (so one for the public ip of wan1 and the other for wan2). They were identical besides the remote gateway.

AlexFeren

The alternative, if using interface-mode IPSec tunnels, is to have both up, but prefer one over the other by different administrative distances for each route.
tony85

thanks to all, now I just have to find out if Azure allows this configuration 

 

tony85

thank you guys, now i just to discover if Azure support this configuration ;)

tony85
New Contributor

Hi Guys, I managed to establish the site-to-site vpn between my firewall and azure, now i have other problem i want to reach the VM Azure, also via vpn client but for now it is unreachable .

 

Can you Help me ?

 

thanks

Antonio

 
Labels
Top Kudoed Authors