DescriptionHow to setup an IPSec VPN tunnel between a FortiGate device and Microsoft Azure cloud service.
Solution1. Create firewall address objects referencing internal and azure networks.
config firewall address
edit "MyAzureNetwork"
set subnet 192.168.10.0 255.255.255.0
next
edit "MyPrivateLAN"
set associated-Interface "internal"
set subnet 192.168.0.0 255.255.255.0
next
end
NOTE: Be aware that the associated interface for the private segment might be different than internal (i.e. port1, lan, internal1, etc).
2. Create the phase1 (ipsec interface mode)
config vpn ipsec phase1-interface
edit "ToAzure"
set interface "wan1"
set proposal aes256-sha1
set dhgrp 2
set keylife 28800
set remote-gw 23.100.120.46
set psksecret ENC eXcOpXVMlNs8ikaCME1pNCdQFE1W82Dy
set dpd enable
next
end
NOTE: Be aware that the remote.gw must be the Azure gateway you got from Azure's configuration environment.
3. Create the phase2
config vpn ipsec phase2-interface
edit "P2-Azure"
set phase1name "ToAzure"
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 102400000
set proposal aes128-sha1
set ( src-addr-type name | src-subnet 192.168.0.0 255.255.255.0 )
set ( dst-addr-type name | dst-subnet 192.168.10.0 255.255.255.0 )
next
end
NOTE: Be aware that the information in brackets [ ] means you must choose either name or defining the subnet.
4. Add a static route
config router static
edit 21
set device "ToAzure"
set dst 192.168.10.0 255.255.255.0
next
end
5. Create firewall security policies
config firewall policy
edit 5
set srcintf "internal"
set dstintf "ToAzure"
set srcaddr "MyPrivateLAN"
set dstaddr "MyAzureNetwork"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
next
edit 6
set srcintf "ToAzure"
set dstintf "internal"
set srcaddr "MyAzureNetwork"
set dstaddr "MyPrivateLAN"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
next
end
REFERENCE:
http://www.burkard.it/2013/09/create-site-to-site-vpn-with-fortigate-to-microsoft-azure/