0

FortiGate Site to Site VPN to Microsoft Azure

I recently had to configure a site to site VPN connection between my firewall (Fortigate) at work to Microsoft Azure. The good thing is that Azure actually spits out the exact configuration that you need for a Cisco ASA version 8.3 the bad news is that there is no reference guide of any other vendor.
The integrator which we engage was kind enough to send us a Fortigate cookbook to follow however the settings on the cookbook are reference guide only. The settings within the cookbook doesn’t reflect the exact configuration settings configured at Azure’s end.
Like any site to site VPN, we need to create both Phase 1 and Phase 2 options:
Phase 1 settings:
IKE Version: 1
Encryption: AES256; Authentication: SHA1
Encryption: AES256; Authentication: SHA256
DH Group: 2
Keylife: 28800

Phase 2 settings:
Encryption and Auth settings are the same as Phase 1.
Enable replay detection
Keylife: BOTH 3600 seconds and 102400000 KB
Create two security policies on the Fortigate firewall to enable traffic movements
inside to Azure

Azure to inside


Create static route on the Fortigate so access to the Azure subnet will traverse via VPN instead of default static route to Internet



ST27

Burger addict that can't say no to fries. Weighted in at 105kg once upon a time and love Japan a lot.

No comments:

Post a Comment