How to Configure IPsec VPN between Azure and Fortigate Firewall

This post is about the configuration of IPsec VPN between Azure and Fortinet Fortigate firewall, as part 2 of the post “How to Configure Azure Hub and Spoke Topology”

How to Configure Azure Hub and Spoke Topology Part 1

Overall Topology


*On-prem Environment has a pair of Fortinet Fortigate firewalls with a public IP of

*Virtual Network Gateway (with local gateway and connection in between) are configured with IPsec VPN to provide on-prem network access

*Internet access in Azure is routed over IPsec VPN — Forced Tunnel

Azure Hub Configuration

Virtual Network Gateway Configuration
Virtual Network Gateway Connection
Local Network Gateway Configuration
Local Network Gateway Connection
Connection Azure Hub to On-Prem

Feel free to use your preferred IPsec encryption and Integrity settings

Pre-shared key
Public IP on Azure Hub

You can download the overall configuration from the “Connection-Azure-Hub-to-onprem”

FortiGate Firewall Configurations

Phase 1 Configuration

Please make sure your “Key Lifetime” under the “Phase 1 Proposal” is the same as Azure.

Phase 2 Configuration
Static Route for Azure Subnets
Security Policies

Useful links

Leave a Comment

Your email address will not be published. Required fields are marked *