The following recipe describes how to configure a site-to-site IPsec VPN tunnel. In this example, one site is behind a FortiGate and another site is hosted on Microsoft Azure™, for which you will need a valid Microsoft Azure account.
Using FortiOS 5.4, the example demonstrates how to configure the tunnel between each site, avoiding overlapping subnets, so that a secure tunnel can be established with your configured security policies.
1. Configuring the Microsoft Azure virtual network |
|
|
Log into Microsoft Azure and click New. In the Search the marketplace field, type “Virtual Network”. Locate Virtual Network from the returned list and click to open the Virtual Network blade. |
 |
|
Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create. |
 |
|
On the Create virtual network blade, fill in the values for your Virtual Network settings and click Create. |
 |
2. Specifying the Microsoft Azure DNS server |
|
| On the Settings page for your virtual network, navigate to DNS Servers and click to open the DNS servers blade. Enter the IP address of the DNS server and click Save at the top of the blade. |  |
3. Creating the Microsoft Azure virtual network gateway |
|
|
In the portal, go to New. Type “Virtual Network Gateway” in search. Locate Virtual network gateway in the search return and click the entry. This opens the Create virtual network gateway blade. |
 |
|
Click Create at the bottom of the Virtual network gateway blade. The Create virtual network gateway blade will open. Fill in the values for your virtual network gateway and click Create. |
 |
4. Creating the Microsoft Azure local network gateway |
|
|
The ‘local network gateway’ refers to your on-premises location. Give the local network gateway a name by which Azure can refer to it. In the portal, from All resources, click +Add. In the Everything blade search box, type Local network gateway, then click to search. This will return a list. Click Local network gateway to open the blade, then click Create to open the Create local network gateway blade. |
 |
| Fill in the values for your local network gateway. |  |
5. Configuring the FortiGate tunnel |
|
|
Go to VPN > IPsec Wizard and select Custom. Enter a Name for the tunnel and click Next. |
 |
|
Set the Remote Gateway to Static IP Address, and include the gateway IP Address provided by Microsoft Azure. Set the Local Interface to wan1. Disable NAT Transversal and Dead Peer Detection. |
 |
|
Under Authentication, enter a Pre-shared Key and ensure that you enable IKEv2. |
 |
|
Under Phase 1 Proposal set the Encryption algorithm to AES 128 and the Authentication algorithm to SHA1. Select 2 for Diffie-Hellman Group. |
 |
|
Scroll down to Phase 2 Selectors and set Local Address to the local subnet and Remote Address to the VPN tunnel endpoint subnet (found under Virtual Network Address Spaces in Microsoft Azure). Enable the encryption types to match Phase 1. |
 |
6. Creating the FortiGate firewall addresses |
|
|
Go to Policy & Objects> Addresses and configure a firewall address for the local network. |
 |
|
Create another firewall object for the Azure VPN tunnel subnet. |
 |
7. Creating the FortiGate firewall policies |
|
|
Go to Policy & Objects > IPv4 Policy and create a new policy for the site-to-site connection that allows outgoing traffic Set the Source Address and Destination Address using the firewall objects you just created. Make sure that NAT is disabled. |
 |
|
When you are done, create another policy for the same connection to allow incoming traffic. This time, invert the Source Address and Destination Address. |
 |
8. Creating the FortiGate static route |
|
| Go to Network > Static Routes and create a new static route forcing outgoing traffic destined to the Microsoft Azure network to flow through the route based IPsec VPN tunnel by setting the Administrative Distance to a value lower than the value set for the existing default route. |  |
9. Creating a Microsoft Azure Site-to-Site VPN connection |
|
|
Locate your virtual network gateway and click All settings to open the Settings blade. On the Settings blade, click Connections, and then click Add at the top of the blade to open the Add connection blade. Fill in the values for your connection and click Create. Make sure that the Shared Key (PSK) matches the shared key configured earlier in FortiGate unit. |
 |
10. Results |
|
|
Go to Monitor > IPsec Monitor. You see the tunnel is UP with incoming and outgoing Data. |
 |
|
Go to Log & Report > VPN Events Select an entry to view more information and verify the connection. |
 |
|
Return to the Microsoft Azure portal, click All resources and navigate to your virtual network gateway. On the blade for your virtual network gateway, click Connections. You can see the status of each connection. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is ‘Connected’ when you have made a successful connection. Ingress and egress bytes confirm traffic flowing through the tunnel. |
 |
The post IPsec VPN to Microsoft Azure appeared first on Fortinet Cookbook.