Troubleshooting Tip: BGP peering is not established after setting up Site to Site VPN tunnel between Azure firewall and on-premise FortiGate

Nivedha · ‎01-08-2024

Description

This article discusses the issue where BGP peering is not established between the IPSec tunnel in Azure and on-premise FortiGate

Scope

FortiGate.

Solution

To configure BGP peering, follow the following document:

Connecting a local FortiGate to an Azure VNet VPN

Include the following steps in the configuration for BGP peering to be established:

Under 'To create a local network gateway':

In the Address space field, enter the CIDR of the network behind the on-premise FortiGate that will access the Azure VNet.
If using BGP, also include the BGP peer address 10.1.254.1/32 added under Address space(s).

Under 'To configure the on-premise FortiGate':

Configure the source subnet to the one behind the on-premise FortiGate. If using BGP, also configure the source subnet to the BGP peer on the FortiGate.
Configure the destination subnet to the Azure VNet's CIDR.

config vpn ipsec phase2-interface
  edit "azurephase2_1" <--update
    set phase1name "azurephase1"
    set proposal aes256-sha1 3des-sha1 aes256-sha256 aes128-sha1
    set pfs disable
    set auto-negotiate enable
    set keylifeseconds 3600
    set src-subnet 10.0.1.0 255.255.255.0
    set dst-subnet 172.29.0.0 255.255.0.0
  next
end

If using BGP, also configure the src-subnet for the BGP peer:

config vpn ipsec phase2-interface
  edit "azurephase2_2"
    set phase1name "azurephase1"
    set proposal aes256-sha1 3des-sha1 aes256-sha256 aes128-sha1
    set pfs disable
    set auto-negotiate enable
    set keylifeseconds 3600
    set src-subnet 10.1.254.1 255.255.255.255
    set dst-subnet 172.29.0.0 255.255.0.0
  next
end