Chapter 10. Cloud Technologies
10.1 IPsec VPN from FortiGate (on Premise) to Azure
Learning Objectives
- Configure a Virtual Network Gateway in Azure
- Configure a local network gateway
- Create an IPSEC VPN between Firewall on-Premise and Azure
Device | Configuration | Access |
---|---|---|
FortiGate | Port 1: DHCP Client
Port 2: 192.168.10.1/24 |
Port1: HTTP, HTTPS, PING
|
WebTerm1 | 192.168.10.2/24 | – |
Azure Configuration
- Create a resource group in Azure as following:
- Resource group: FG
- Region: West US
- Create a virtual network as following:
- Resource group: FG
- Name: Azure-FG
- Region: West US
- Change the default subnet: 10.0.1.0/24
- Create a virtual network gateway as following:
- Name: Azure-VPN-FG
- Region: West US
- Generation: Generation1
- Gateway subnet address range: 10.0.0.0/24
- Public IP address name: AzurePublic
Click on “Create and Review”. It takes around 25 minutes to deploy a virtual network gateway in Azure.
- Create a local network gateway as following:
- Resource Group: FG
- Region: West US
- Name: FortiGate
- IP Address: IP_Address_of_Port1_FortiGate (On premise)
- Address Space: IP_Address_LocalNetwork
- Go to Virtual network gateway and create a connection in Virtual network gateways > connections > Add:
Based on the Microsoft article “About cryptographic requirements and Azure VPN gateways”, by default, integrity is SHA384, SHA256, SHA1, MD5 and encryption is AES256, AES192, AES128, DES3, DES. So, we will select SHA1 and AES128 in FortiGate. After doing this step, you should receive a Public IP address in Overview tab.
FortiGate Configuration
- First, we will configure port 2 IP address.
- Create a static route to port1 (WAN Port) as Figure 10.25.
- Create a IPsec Wizard as a custom.
- Remote Gateway IP Address: Public_IP_Address_Azure_Virtual_Gateway
- Nat Traversal: Disable
- Pre-shared Key: The same as Azure key (123456789)
- Local Address: 192.168.10.0/24
- Remote Address: 10.0.0.0/16
- Phase 1: Encryption: AES128, Authentication: SHA-1, DH: 2, lifetime: 28800
- Phase 2: Encryption: AES128, Authentication: SHA-1, DH: 2, lifetime: 27000
- Create a firewall policy from Port 2 to Tunnel and from Tunnel to Port2. We will create a subnet for LAN on premise and a subnet for Microsoft Azure. Like site-to-site VPN we learned previously, NAT should be disabled here.
Verify Connections
If you navigate to IPsec Tunnel, the status should be up.