Fortinet white logo
Fortinet white logo

Cookbook

IPsec VPN to an Azure with virtual WAN

IPsec VPN to an Azure with virtual WAN

This is a sample configuration of an IPsec site-to-site VPN connection between an on-premise FortiGate and an Azure virtual network (VNet). This example uses Azure virtual WAN (vWAN) to establish the VPN connection.

Note
  • Azure must use IPsec v2 for this configuration.
  • Azure uses overlapped subnet IP addresses for the IPsec interfaces.
To configure IKEv2 IPsec site-to-site VPN to an Azure VPN gateway:
  1. In the Azure management portal, configure vWAN-related settings as described in Tutorial: Create a Site-to-Site connection using Azure Virtual WAN.

    If a custom BGP IP address is configured on Azure's vWAN, such as 169.254.21.6 and 169.254.21.7, you must configure the FortiGate remote-IP to the corresponding Custom BGP IP Address value. If a custom BGP IP address is not configured, FortiGate remote-IPs should point to the Default BGP IP Address value.

  2. Download the VPN configuration. The following shows an example VPN configuration:

    [ {"configurationVersion":{"LastUpdatedTime":"2019-07-16T22:16:28.0409002Z","Version":"be5c5787-b903-43b1-a237-49eae1b373e4"},"vpnSiteConfiguration":{"Name":"toaws","IPAddress":"3.220.252.93","BgpSetting":{"Asn":7225,"BgpPeeringAddress":"169.254.24.25","PeerWeight":32768},"LinkName":"toaws"},"vpnSiteConnections":[{"hubConfiguration":{"AddressSpace":"10.1.0.0/16","Region":"West US","ConnectedSubnets":["10.2.0.0/16"]},"gatewayConfiguration":{"IpAddresses":{"Instance0":"52.180.90.47","Instance1":"52.180.89.94"},"BgpSetting":{"Asn":65515,"BgpPeeringAddresses":{"Instance0":"10.1.0.7","Instance1":"10.1.0.6"},"PeerWeight":0}},"connectionConfiguration":{"IsBgpEnabled":true,"PSK":"Fortinet123#","IPsecParameters":{"SADataSizeInKilobytes":102400000,"SALifeTimeInSeconds":3600}}}]} ]

  3. Configure the following on the FortiGate. Note for set proposal, you can select from several proposals.

    config vpn ipsec phase1-interface

    edit "toazure1"

    set interface "port1"

    set ike-version 2

    set keylife 28800

    set peertype any

    set proposal aes256-sha1

    set dhgrp 2

    set remote-gw 52.180.90.47

    set psksecret ENC BJeE+CnBFbdepvvMMfXmb1QlWmB/QfxAvSuj0/Ol3KI3LgP0ac1Rc80YJRHN2Q7ocGpF96/7F0MCNRjAEk62wQHeHNi8zQKc0DGTffRIyf/ln6l3JMp+r2hVFTv41HlzfKlE5L+rOuSPj4y941rJVPjIx9aID7dAYUMUh/D1elTB/PqAXAt

    0JU+9gDbki4br5Zq8tQ==

    next

    edit "toazure2"

    set interface "port1"

    set ike-version 2

    set keylife 28800

    set peertype any

    set proposal aes256-sha1

    set dhgrp 2

    set remote-gw 52.180.89.94

    set psksecret ENC sNVpQEGX79oH3u57I6AjipdPALYIERj7CMDSJY7RG39g0yUmPVJVcq1+u5v3gA6URhzaD3NjqUoIfJD3yOE34mIWFo9Q6skowGnQURlQxukENC8kTpEl3YqYESCKULoRc3/sVKDZItyjWcZ/0iHsqkCyWvm/jDJuy3UPxI7uOktkDtZPho8

    wjnMYeKmMR5EaG28oSA==

    next

    end

    config vpn ipsec phase2-interface

    edit "toazure1"

    set phase1name "toazure1"

    set proposal aes256-sha1

    set dhgrp 2

    set keylifeseconds 3600

    next

    edit "toazure2"

    set phase1name "toazure2"

    set proposal aes256-sha1

    set dhgrp 2

    set keylifeseconds 3600

    next

    end

    config system settings

    set allow-subnet-overlap enable

    end

    config system interface

    edit "toazure1"

    set vdom "root"

    set ip 169.254.24.25 255.255.255.255

    set type tunnel

    set remote-ip 10.1.0.7 255.255.255.255

    set snmp-index 4

    set interface "port1"

    next

    edit "toazure2"

    set vdom "root"

    set ip 169.254.24.25 255.255.255.255

    set type tunnel

    set remote-ip 10.1.0.6 255.255.255.255

    set snmp-index 5

    set interface "port1"

    next

    end

    config router bgp

    set as 7225

    set router-id 169.254.24.25

    config neighbor

    edit "10.1.0.7"

    set remote-as 65515

    next

    edit "10.1.0.6"

    set remote-as 65515

    next

    end

    config network

    edit 1

    set prefix 172.30.101.0 255.255.255.0

    next

    end

    config redistribute "connected"

    set status enable

    end

    config redistribute "rip"

    end

    config redistribute "ospf"

    end

    config redistribute "static"

    end

    config redistribute "isis"

    end

    config redistribute6 "connected"

    end

    config redistribute6 "rip"

    end

    config redistribute6 "ospf"

    end

    config redistribute6 "static"

    end

    config redistribute6 "isis"

    end

    end

  4. Run diagnose vpn tunnel list. If the configuration was successful, the output should resemble the following:
    name=toazure1 ver=2 serial=3 172.30.1.83:4500->52.180.90.47:4500
    bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
    proxyid_num=1 child_num=0 refcnt=15 ilast=16 olast=36 ad=/0
    stat: rxp=41 txp=41 rxb=5104 txb=2209
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
    natt: mode=keepalive draft=0 interval=10 remote_port=4500
    proxyid=toazure1 proto=0 sa=1 ref=2 serial=4
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=3 options=10226 type=00 soft=0 mtu=8926 expire=2463/0B replaywin=2048
           seqno=2a esn=0 replaywin_lastseq=00000029 itn=0
      life: type=01 bytes=0/0 timeout=3300/3600
      dec: spi=c13f7928 esp=aes key=32 009a86bb0d6f5fee66af7b8232c8c0f22e6ec5c61ba19c93569bd0cd115910a9
           ah=sha1 key=20 f05bfeb0060afa89d4afdfac35960a8a7a4d4856
      enc: spi=b40a6c70 esp=aes key=32 a1e361075267ba72b39924c5e6c766fd0b08e0548476de2792ee72057fe60d1d
           ah=sha1 key=20 b1d24bedb0eb8fbd26de3e7c0b0a3a799548f52f
      dec:pkts/bytes=41/2186, enc:pkts/bytes=41/5120
    ------------------------------------------------------
    name=toazure2 ver=2 serial=4 172.30.1.83:4500->52.180.89.94:4500
    bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
    proxyid_num=1 child_num=0 refcnt=16 ilast=16 olast=16 ad=/0
    stat: rxp=40 txp=40 rxb=4928 txb=2135
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
    natt: mode=keepalive draft=0 interval=10 remote_port=4500
    proxyid=toazure2 proto=0 sa=1 ref=2 serial=4
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=3 options=10626 type=00 soft=0 mtu=8926 expire=2427/0B replaywin=2048
           seqno=29 esn=0 replaywin_lastseq=00000028 itn=0
      life: type=01 bytes=0/0 timeout=3299/3600
      dec: spi=c13f791d esp=aes key=32 759898cbb7fafe448116b1fb0fb6d2f0eb99621ea6ed8dd4417ffdb901eb82be
           ah=sha1 key=20 533ec5dc8a1910221e7742b12f9de1b41205622c
      enc: spi=67934bfe esp=aes key=32 9b5710bfb4ba784722241ec371ba8066629febcd75da6f8471915bdeb874ca80
           ah=sha1 key=20 5099fed7edac2b960294094f1a8188ab42f34d7b
      dec:pkts/bytes=40/2087, enc:pkts/bytes=40/4976
    
     
    
    Routing table for VRF=0
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default
    
    S*      0.0.0.0/0 [5/0] via 172.30.1.1, port1
    B       10.1.0.0/16 [20/0] via 10.1.0.6, toazure2, 00:15:01
    C       10.1.0.6/32 is directly connected, toazure2
    C       10.1.0.7/32 is directly connected, toazure1
    B       10.2.0.0/16 [20/0] via 10.1.0.6, toazure2, 00:15:01
    C       169.254.24.25/32 is directly connected, toazure1
                             is directly connected, toazure2
    C       172.30.1.0/24 is directly connected, port1
    C       172.30.101.0/24 is directly connected, port2

IPsec VPN to an Azure with virtual WAN

IPsec VPN to an Azure with virtual WAN

This is a sample configuration of an IPsec site-to-site VPN connection between an on-premise FortiGate and an Azure virtual network (VNet). This example uses Azure virtual WAN (vWAN) to establish the VPN connection.

Note
  • Azure must use IPsec v2 for this configuration.
  • Azure uses overlapped subnet IP addresses for the IPsec interfaces.
To configure IKEv2 IPsec site-to-site VPN to an Azure VPN gateway:
  1. In the Azure management portal, configure vWAN-related settings as described in Tutorial: Create a Site-to-Site connection using Azure Virtual WAN.

    If a custom BGP IP address is configured on Azure's vWAN, such as 169.254.21.6 and 169.254.21.7, you must configure the FortiGate remote-IP to the corresponding Custom BGP IP Address value. If a custom BGP IP address is not configured, FortiGate remote-IPs should point to the Default BGP IP Address value.

  2. Download the VPN configuration. The following shows an example VPN configuration:

    [ {"configurationVersion":{"LastUpdatedTime":"2019-07-16T22:16:28.0409002Z","Version":"be5c5787-b903-43b1-a237-49eae1b373e4"},"vpnSiteConfiguration":{"Name":"toaws","IPAddress":"3.220.252.93","BgpSetting":{"Asn":7225,"BgpPeeringAddress":"169.254.24.25","PeerWeight":32768},"LinkName":"toaws"},"vpnSiteConnections":[{"hubConfiguration":{"AddressSpace":"10.1.0.0/16","Region":"West US","ConnectedSubnets":["10.2.0.0/16"]},"gatewayConfiguration":{"IpAddresses":{"Instance0":"52.180.90.47","Instance1":"52.180.89.94"},"BgpSetting":{"Asn":65515,"BgpPeeringAddresses":{"Instance0":"10.1.0.7","Instance1":"10.1.0.6"},"PeerWeight":0}},"connectionConfiguration":{"IsBgpEnabled":true,"PSK":"Fortinet123#","IPsecParameters":{"SADataSizeInKilobytes":102400000,"SALifeTimeInSeconds":3600}}}]} ]

  3. Configure the following on the FortiGate. Note for set proposal, you can select from several proposals.

    config vpn ipsec phase1-interface

    edit "toazure1"

    set interface "port1"

    set ike-version 2

    set keylife 28800

    set peertype any

    set proposal aes256-sha1

    set dhgrp 2

    set remote-gw 52.180.90.47

    set psksecret ENC BJeE+CnBFbdepvvMMfXmb1QlWmB/QfxAvSuj0/Ol3KI3LgP0ac1Rc80YJRHN2Q7ocGpF96/7F0MCNRjAEk62wQHeHNi8zQKc0DGTffRIyf/ln6l3JMp+r2hVFTv41HlzfKlE5L+rOuSPj4y941rJVPjIx9aID7dAYUMUh/D1elTB/PqAXAt

    0JU+9gDbki4br5Zq8tQ==

    next

    edit "toazure2"

    set interface "port1"

    set ike-version 2

    set keylife 28800

    set peertype any

    set proposal aes256-sha1

    set dhgrp 2

    set remote-gw 52.180.89.94

    set psksecret ENC sNVpQEGX79oH3u57I6AjipdPALYIERj7CMDSJY7RG39g0yUmPVJVcq1+u5v3gA6URhzaD3NjqUoIfJD3yOE34mIWFo9Q6skowGnQURlQxukENC8kTpEl3YqYESCKULoRc3/sVKDZItyjWcZ/0iHsqkCyWvm/jDJuy3UPxI7uOktkDtZPho8

    wjnMYeKmMR5EaG28oSA==

    next

    end

    config vpn ipsec phase2-interface

    edit "toazure1"

    set phase1name "toazure1"

    set proposal aes256-sha1

    set dhgrp 2

    set keylifeseconds 3600

    next

    edit "toazure2"

    set phase1name "toazure2"

    set proposal aes256-sha1

    set dhgrp 2

    set keylifeseconds 3600

    next

    end

    config system settings

    set allow-subnet-overlap enable

    end

    config system interface

    edit "toazure1"

    set vdom "root"

    set ip 169.254.24.25 255.255.255.255

    set type tunnel

    set remote-ip 10.1.0.7 255.255.255.255

    set snmp-index 4

    set interface "port1"

    next

    edit "toazure2"

    set vdom "root"

    set ip 169.254.24.25 255.255.255.255

    set type tunnel

    set remote-ip 10.1.0.6 255.255.255.255

    set snmp-index 5

    set interface "port1"

    next

    end

    config router bgp

    set as 7225

    set router-id 169.254.24.25

    config neighbor

    edit "10.1.0.7"

    set remote-as 65515

    next

    edit "10.1.0.6"

    set remote-as 65515

    next

    end

    config network

    edit 1

    set prefix 172.30.101.0 255.255.255.0

    next

    end

    config redistribute "connected"

    set status enable

    end

    config redistribute "rip"

    end

    config redistribute "ospf"

    end

    config redistribute "static"

    end

    config redistribute "isis"

    end

    config redistribute6 "connected"

    end

    config redistribute6 "rip"

    end

    config redistribute6 "ospf"

    end

    config redistribute6 "static"

    end

    config redistribute6 "isis"

    end

    end

  4. Run diagnose vpn tunnel list. If the configuration was successful, the output should resemble the following:
    name=toazure1 ver=2 serial=3 172.30.1.83:4500->52.180.90.47:4500
    bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
    proxyid_num=1 child_num=0 refcnt=15 ilast=16 olast=36 ad=/0
    stat: rxp=41 txp=41 rxb=5104 txb=2209
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
    natt: mode=keepalive draft=0 interval=10 remote_port=4500
    proxyid=toazure1 proto=0 sa=1 ref=2 serial=4
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=3 options=10226 type=00 soft=0 mtu=8926 expire=2463/0B replaywin=2048
           seqno=2a esn=0 replaywin_lastseq=00000029 itn=0
      life: type=01 bytes=0/0 timeout=3300/3600
      dec: spi=c13f7928 esp=aes key=32 009a86bb0d6f5fee66af7b8232c8c0f22e6ec5c61ba19c93569bd0cd115910a9
           ah=sha1 key=20 f05bfeb0060afa89d4afdfac35960a8a7a4d4856
      enc: spi=b40a6c70 esp=aes key=32 a1e361075267ba72b39924c5e6c766fd0b08e0548476de2792ee72057fe60d1d
           ah=sha1 key=20 b1d24bedb0eb8fbd26de3e7c0b0a3a799548f52f
      dec:pkts/bytes=41/2186, enc:pkts/bytes=41/5120
    ------------------------------------------------------
    name=toazure2 ver=2 serial=4 172.30.1.83:4500->52.180.89.94:4500
    bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
    proxyid_num=1 child_num=0 refcnt=16 ilast=16 olast=16 ad=/0
    stat: rxp=40 txp=40 rxb=4928 txb=2135
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
    natt: mode=keepalive draft=0 interval=10 remote_port=4500
    proxyid=toazure2 proto=0 sa=1 ref=2 serial=4
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA:  ref=3 options=10626 type=00 soft=0 mtu=8926 expire=2427/0B replaywin=2048
           seqno=29 esn=0 replaywin_lastseq=00000028 itn=0
      life: type=01 bytes=0/0 timeout=3299/3600
      dec: spi=c13f791d esp=aes key=32 759898cbb7fafe448116b1fb0fb6d2f0eb99621ea6ed8dd4417ffdb901eb82be
           ah=sha1 key=20 533ec5dc8a1910221e7742b12f9de1b41205622c
      enc: spi=67934bfe esp=aes key=32 9b5710bfb4ba784722241ec371ba8066629febcd75da6f8471915bdeb874ca80
           ah=sha1 key=20 5099fed7edac2b960294094f1a8188ab42f34d7b
      dec:pkts/bytes=40/2087, enc:pkts/bytes=40/4976
    
     
    
    Routing table for VRF=0
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default
    
    S*      0.0.0.0/0 [5/0] via 172.30.1.1, port1
    B       10.1.0.0/16 [20/0] via 10.1.0.6, toazure2, 00:15:01
    C       10.1.0.6/32 is directly connected, toazure2
    C       10.1.0.7/32 is directly connected, toazure1
    B       10.2.0.0/16 [20/0] via 10.1.0.6, toazure2, 00:15:01
    C       169.254.24.25/32 is directly connected, toazure1
                             is directly connected, toazure2
    C       172.30.1.0/24 is directly connected, port1
    C       172.30.101.0/24 is directly connected, port2