Chapter 10. Cloud Technologies

10.3 Site to Site VPN between FortiGate on Premise and FortiGate in the Azure

Learning Objectives

  • Configure a VPN Wizard in Azure
  • Configure site-to-site VPN between FortiGate on premise and Azure
  • Identify FortiGate subnets in Azure
Site to Site VPN between FortiGate on premise and FortiGate in the Azure
Figure 10.49: Main scenario
Scenario: In this lab, we are going to create a site-to-site VPN from FortiGate on premise to FortiGate in the Azure. Knowing the configuration from section 10.2 is necessary for this lab. Port1 is set as a DHCP, so they will receive an IP address from Cloud.
Table 10.3: Devices configuration
Device Interface IP address
FortiGate Port 1 DHCP Client
Port 2 192.168.10.1/24
WebTerm Eth0 192.168.10.2/24
  1. On Premise FortiGate Configuration. Follow these steps:
    1. Configure the interfaces of the firewall. Port2 by default is an internal interface and name as a “LAN” and Port1 is an external interface and name as a “WAN”.
      On Premise firewall Interfaces
      Figure 10.50: Firewall interfaces
    2. Create a site-to-site VPN from IPsec Wizard as Figures 10.51 to 10.53.
      Step1- Select VPN Name
      Figure 10.51: Select VPN name
      Step2- Set remote IP Address
      Figure 10.52: Set remote IP address
      tep3- Set Policy & Routing
      Figure 10.53: Set Policy & Routing
    3. Create a static route to the default gateway.
      Set a default gateway
      Figure 10.54: Set a default gateway
  2. Azure Configuration. Follow these steps:
    1. Create a FortiGate firewall in Azure and configure the interfaces. You need to do all steps found in section 10.1.
    2. Create a VPN from IPsec Wizard as Figures 10.55 to 10.57.
      Step1- Select VPN Name in Azure
      Figure 10.55: Select VPN name
      Step2-Set a remote IP address
      Figure 10.56: Set a remote IP address
      Step3-Set Policy & Routing
      Figure 10.57: Set Policy & Routing
    3. Add a Linux or Windows Virtual Machine to Protected subnet. You don’t need to enable public IP address. Your private IP address should be in the range of 10.0.2.0/24.
    4. Go to VPN > IPsec Tunnels and check status of the tunnel.
      Check status of tunnel
      Figure 10.58: Check status of tunnel
    5. You should be able to ping from WebTerm to the Virtual Machine.
      Ping from webterm to Windows VM
      Figure 10.59: Ping from WebTerm to Windows VM

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall Copyright © 2023 by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book