How to Configure IPsec VPN between Azure and Fortigate Firewall

This post is about the configuration of IPsec VPN between Azure and Fortinet Fortigate firewall, as part 2 of the post “How to Configure Azure Hub and Spoke Topology”

Overall Topology

Environment

*On-prem Environment has a pair of Fortinet Fortigate firewalls with a public IP of 4.4.4.4

*Virtual Network Gateway (with local gateway and connection in between) are configured with IPsec VPN to provide on-prem network access

*Internet access in Azure is routed over IPsec VPN — Forced Tunnel

Azure Hub Configuration

Virtual Network Gateway Configuration
Virtual Network Gateway Connection
Local Network Gateway Configuration
local-network-gateway-configuration-ip-subnet
Local Network Gateway Connection
Connection Azure Hub to On-Prem

Feel free to use your preferred IPsec encryption and Integrity settings

Pre-shared key
Public IP on Azure Hub

You can download the overall configuration from the “Connection-Azure-Hub-to-onprem”

FortiGate Firewall Configurations

Phase 1 Configuration

Please make sure your “Key Lifetime” under the “Phase 1 Proposal” is the same as Azure.

Phase 2 Configuration
Static Route for Azure Subnets
Security Policies

Useful links

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell

Leave a Comment

Your email address will not be published. Required fields are marked *