10-1 IPSEC VPN from FortiGate (on premise) to Azure

Azure Configuration

1. Create a resource group in Azure as following:
   • Resource group : FG
   • Region: West US

2. Create a virtual network as following:

• Resource group: FG
• Name: Azure-FG
• Region : West US
• Change the default subnet: 10.0.1.0/24

3. Create a virtual network gateway as following:

• Name: Azure-VPN-FG
• Region: West US
• Generation: Generation1
• Gateway subnet address range: 10.0.0.0/24
• Public IP address name: AzurePublic

Click on “Create and Review”. It takes around 25 minutes to deploy a virtual network gateway in Azure.

4. Create a local network gateway as following:

• Resource Group: FG
• Region: West US
• Name: FortiGate
• IP Address: IP_Address_of_Port1_FortiGate(On premise)
• Address Space: IP_Address_LocalNetwork

5. Go to Virtual network gateway and create a connection in Virtual network gateways> connections> Add:

Based on Micorosft document by default integrity is SHA384, SHA256, SHA1, MD5 and encryption is AES256, AES192, AES128, DES3, DES. So, we will select SHA1 and AES128 in FortiGate. After doing this step, you should receive a Public IP address in Overview tab.

FortiGate Configuration

1. First, we will configure port 2 IP address.

2. Create a static route to port1(WAN Port) as Figure 10-25.

3. Create a IPSEC Wizard as a custom

• Remote Gateway IP Address: Public_IP_Address_Azure_Virtual_Gateway
• Nat Traversal : Disable
• Pre-shared Key: The same as Azure key(123456789)
• Local Address: 192.168.10.0/24
• Remote Address: 10.0.0.0/16
• Phase 1: Encryption : AES128, Authentication: SHA-1, DH: 2, lifetime: 28800
• Phase 2: Encryption : AES128, Authentication: SHA-1, DH: 2, lifetime: 27000

4. Create a firewall policy from Port 2 to Tunnel and from Tunnel to Port2. We will create a subnet for LAN on premise and a subnet for Microsoft Azure. Like site-to-site VPN we learned previously, NAT should be disabled here.

Verify connections

if you navigate to IPSEC Tunnel, the status should be up.