Chapter 10. Cloud Technologies

10.1 IPsec VPN from FortiGate (on Premise) to Azure

Learning Objectives

  • Configure a Virtual Network Gateway in Azure
  • Configure a local network gateway
  • Create an IPSEC VPN between Firewall on-Premise and Azure
Scenario: We are going to connect on premise FortiGate to Azure Virtual Gateway. This is going to be IPsec VPN between FortiGate and Azure. First, we will configure Azure and then connect FortiGate through Port1 to Azure Virtual Gateway.
main scenario IPSEC VPN from FortiGate (on premise) to Azure
Figure 10.1: Main scenario
Table 10.1: On-premise devices configuration
Device Configuration Access
FortiGate Port 1: DHCP Client

Port 2: 192.168.10.1/24

Port1: HTTP, HTTPS, PING

 

 WebTerm1 192.168.10.2/24

Azure Configuration

  1. Create a resource group in Azure as following:
    • Resource group: FG
    • Region: West US
    Step1-Create a resource group
    Figure 10.2: Create a resource group
    Step 2- create a resource group
    Figure 10.3: Create a resource group
    Step3- create a resource group
    Figure 10.4: Create a resource group
  2. Create a virtual network as following:
    • Resource group: FG
    • Name: Azure-FG
    • Region: West US
    • Change the default subnet: 10.0.1.0/24
    Step1- create a virtual network
    Figure 10.5: Create a virtual network
    Step2- create a virtual network(Change default subnet)
    Figure 10.6: Create a virtual network (change default subnet)
    Step3- create a virtual network
    Figure 10.7: Create a virtual network
    Step4- create a virtual network - Creating a Tag
    Figure 10.8: Create a virtual network
    Step5- create a virtual network "Review + Create"
    Figure 10.9: Create a virtual network
  3. Create a virtual network gateway as following:
    • Name: Azure-VPN-FG
    • Region: West US
    • Generation: Generation1
    • Gateway subnet address range: 10.0.0.0/24
    • Public IP address name: AzurePublic

    Click on “Create and Review”. It takes around 25 minutes to deploy a virtual network gateway in Azure.

    Step1- create a virtual network gateway
    Figure 10.10: Create a virtual network gateway
    Step 2- create a virtual network gateway
    Figure 10.11: Create a virtual network gateway
    Step3- create a virtual network gateway - Gateway subnet and Public IP address
    Figure 10.12: Create a virtual network gateway
    Step 4- create a virtual network gateway (review + create)
    Figure 10.13: Create a virtual network gateway (review + create)
    Step 5- create a virtual network gateway( Deployment)
    Figure 10.14: Create a virtual network gateway (deployment)
    Step 6- Deployment of virtual network gateway
    Figure 10.15: Deployment of virtual network gateway
  4. Create a local network gateway as following:
    • Resource Group: FG
    • Region: West US
    • Name: FortiGate
    • IP Address: IP_Address_of_Port1_FortiGate (On premise)
    • Address Space: IP_Address_LocalNetwork
    Step 1- create a local network gateway
    Figure 10.16: Create a local network gateway
    Step 2- create a local network gateway- IP Address, Region and Name
    Figure 10.17: Create a local network gateway
    Step 3- create a local network gateway (review + create)
    Figure 10.18: Create a local network gateway (review + create)
    Step 4- Verify local network gateway deployment
    Figure 10.19: Verify local network gateway deployment
  5. Go to Virtual network gateway and create a connection in Virtual network gateways > connections > Add:
    Add connections
    Figure 10.20: Add connections
    Step 2- Connection configuration
    Figure 10.21: Connection configuration

    Based on the Microsoft article “About cryptographic requirements and Azure VPN gateways”, by default, integrity is SHA384, SHA256, SHA1, MD5 and encryption is AES256, AES192, AES128, DES3, DES. So, we will select SHA1 and AES128 in FortiGate. After doing this step, you should receive a Public IP address in Overview tab.

    Step 3- Verify public IP address
    Figure 10.22: Verify public IP address

FortiGate Configuration

  1. First, we will configure port 2 IP address.
    Set an IP address for port2
    Figure 10.23: Set an IP address for port2
    Por1 and Port2 IP addresses
    Figure 10.24: Port1 and Port2 IP addresses
  2. Create a static route to port1 (WAN Port) as Figure 10.25.
    Create a static route to port1(WAN Port)
    Figure 10.25: Create a static route
  3. Create a IPsec Wizard as a custom.
    Create a IPSEC Wizard as a custom
    Figure 10.26: Create a custom VPN
    • Remote Gateway IP Address: Public_IP_Address_Azure_Virtual_Gateway
    • Nat Traversal: Disable
    • Pre-shared Key: The same as Azure key (123456789)
    • Local Address: 192.168.10.0/24
    • Remote Address: 10.0.0.0/16
    • Phase 1: Encryption: AES128, Authentication: SHA-1, DH: 2, lifetime: 28800
    • Phase 2: Encryption: AES128, Authentication: SHA-1, DH: 2, lifetime: 27000
    Step 2- Create a custom VPN
    Figure 10.27: Create a custom VPN
    Step 3- Create a custom VPN
    Figure 10.28: Create a custom VPN
    Step 4- Create a custom VPN
    Figure 10.29: Create a custom VPN
  4. Create a firewall policy from Port 2 to Tunnel and from Tunnel to Port2. We will create a subnet for LAN on premise and a subnet for Microsoft Azure. Like site-to-site VPN we learned previously, NAT should be disabled here.
    Create a subnet for local network
    Figure 10.30: Create a subnet for local network
    Create a subnet for Azure local
    Figure 10.31: Create a subnet for Azure local
    Create a policy from port2 to FG-Azure Tunnel
    Figure 10.32: Create a policy from port2 to FG-Azure Tunnel
    Create a policy from FG-Azure Tunnel to port2
    Figure 10.33: Create a policy from FG-Azure Tunnel to port2
    Create a policy from FG-Azure Tunnel to port2
    Figure 10.34: Create a policy from FG-Azure Tunnel to port2
    List of Firewall Policies
    Figure 10.35: Firewall Policies

Verify Connections

If you navigate to IPsec Tunnel, the status should be up.

Verify status in FortiGate
Figure 10.36: Verify status in FortiGate
Verify status in Azure
Figure 10.37: Verify status in Azure

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall Copyright © 2023 by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book