Skip to content

Josh's IT-Blog

Information Technology, and other interesting things …

  • Home
  • About
  • Contact
  • Links

Create site-to-site VPN with FortiGate to Microsoft Azure

Posted on 14. September 201321. January 2014 By Burkard Josh No Comments on Create site-to-site VPN with FortiGate to Microsoft Azure
Network

I know, it is an unsupported configuration to create a site-to-site VPN to Microsoft Azure with a FortiGate firewall. But a FortiGate device is what i have and only to run some test’s I don’t want to buy some of this expensive supported firewalls.

I tried a lot of configurations, but nothings seams to run with Azure and my Fortigate firewall. So this week, I started a new try with this problem and after a few test’s I was successfully.

First I detected, that there is a new Option in Windows Azure, I never saw before: Dynamic Routing GateWay. After trying the old option Static Routing Gateway, I tried the new one and was successfully. The differences between dynamic and static routing gateways are described here.

Azure preparation

virtual Network creation

First we need to create a new virtual network:

Azure-vNet-0

define the Name for the virtual network and optionally an affinity group:

Azure-vNet-1

set the Configure site-to-site VPN checkbox, but no other options:

Azure-vNet-2

configure your local network with your current settings and tell the public ip address of your firewall:

Azure-vNet-3

now define the address range of your virtual network and its subnets. please note, that you shouldn’t use the first available subnet, cause it will be used at the next step:

Azure-vNet-4

before clicking to Finish button, click to add gateway subnet:

Azure-vNet-5

Now you can click to the Finish button. After a few minutes your virtual network is created. you can use it now for your virtual machines and other resources inside Azure, but you can’t connect to it from outside Azure before creating the gateway.

Create the Gateway

open your virtual Network and go to the Dashboard tab. on the bottom click to the Create Gateway button and select Dynamic Routing.

Azure-create-Gateway-1

Now, the Gateway will be created, this will Need around 15-20 minutes. during this time you will see this Screen:

Azure-create-Gateway-2

When the Gateway is created, you will see this Screen, on which you will see the ip address which is needed for the FortiGate configuration:

Azure-VPN-not-connected

to see the created preshared key, click to the Manage Key button at the botton.

FortiGate configuration

For this configuration, i used a FotiGate 60C with Firmware Version v5.0,build0147 GA 1. Please note, that i can’t give you support for FirmWare Versions below this.

create the IPsec VPN tunnel

Go to VPN → IPSEC → Auto Key (IKE) and then click to Create Phase 1:

13-09-2013 21-41-31

Fill in the form like this with the values get from Azure GateWay Setup:

FortiGate-VPN-Phase1

For more security, you can also use AES256 for encryption.

After creating the VPN phase 1, create the phase 2. Select the Phase 1 configuration you created before and click to Create Phase 2 button:

14-09-2013 21-00-13

define the vpn phase 2 like this:

14-09-2013 21-06-46

For more security, you can also use AES256 for encryption.

create the Policy

after creating the IPsec VPN tunnel, you need to create a policy which allows internal traffic to Azure and a policy for reverse. Create it like this:

first create two address definitions:

Address-definitions-1

then you should create a static route:

15-09-2013 20-50-54

Now, you can create the policies:

VPN-Policy-1

VPN-Policy-2

startup the VPN connection

Go to VPN → Monitor → IPsec Monitor and bring the connection up:

VPN-connection-up

after this you should see, that the connection is up and stable:

VPN-stable

After a few minutes, you should see, that the connection was made inside Azure:

Azure-VPN-connected

 

Share this:

  • Facebook
  • Twitter
  • Email
  • Print
Tags: Azure FortiGate

Post navigation

❮ Previous Post: WordPress Plugin: Sandbox Mirror
Next Post: SCOM 2012 agent communication issue ❯

Leave a Reply Cancel reply

About

Author Image
My name is Josh Burkard.
I'm a DevOps Engineer working with one of swiss largest telecom and full-service hosting provider. in my work I have a lot to do with Microsoft server operating systems, System Center, VMware, Microsoft Azure Cloud and other software.
On this site I will write some posts about different technology problems and their solutions.
please note also my tweets and retweets from this area.

Follow me on Twitter

My Tweets

Categories

  • General (13)
  • Hardware (9)
    • Network (8)
      • Cisco (2)
    • Storage (2)
  • Microsoft Azure (1)
    • Automation (1)
  • PowerShell (1)
  • Software (1)
    • Excel (1)
  • System Center (19)
    • SCCM (3)
    • SCDPM (1)
    • SCOM (13)
    • SCSM (1)
    • SMA (1)
  • VMware (8)
  • Windows 2008 R2 (10)
    • Active Directory (7)
  • Windows 2012 R2 (1)
  • Windows 2016 (1)
  • Windows 7 (4)
    • BitLocker (1)
  • WordPress (1)

Links

  • Burkard-Fingerlin Family
  • Swisscom (Schweiz) AG
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

About

Author Image
My name is Josh Burkard.
I'm a DevOps Engineer working with one of swiss largest telecom and full-service hosting provider. in my work I have a lot to do with Microsoft server operating systems, System Center, VMware, Microsoft Azure Cloud and other software.
On this site I will write some posts about different technology problems and their solutions.
please note also my tweets and retweets from this area.

Follow me on Twitter

My Tweets

FOLLOW ME ON GITHUB

joshburkard (Josh Burkard)

Josh Burkard

joshburkard
Belgium
https://www.burkard.it
Joined on Jul 10, 2015
13 Public Repositories
0 Public Gists

Copyright © 2023 Josh's IT-Blog.

Theme: Oceanly by ScriptsTown

 

Loading Comments...
 

    loading Cancel
    Post was not sent - check your email addresses!
    Email check failed, please try again
    Sorry, your blog cannot share posts by email.