Setting up an IPSec tunnel between a FortiGate firewall and Microsoft Azure can seem daunting, but with the right steps, it’s totally achievable. In this guide, we'll walk through the entire process, ensuring you create a secure and reliable connection between your on-premises network and Azure. Let's dive in!

Prerequisites

Before we get started, make sure you have the following:

• An Azure Subscription: You'll need an active Azure subscription to create and manage resources.
• A FortiGate Firewall: Access to a FortiGate firewall with a public IP address.
• Azure Virtual Network: A virtual network in Azure where you want to connect your FortiGate.
• Subnets: Appropriate subnets created in your Azure VNet for the gateway and other resources.
• Azure Virtual Network Gateway: Understand the basics of setting up a Virtual Network Gateway in Azure.
• IPSec Parameters: Have your IPSec parameters ready, such as encryption algorithms, hash algorithms, and pre-shared keys.

Step-by-Step Configuration

1. Create a Virtual Network Gateway in Azure

First, you'll need to set up a Virtual Network Gateway in Azure. This gateway will serve as the Azure end of the IPSec tunnel.

1. Navigate to Virtual Network Gateways: In the Azure portal, search for "Virtual Network Gateways" and click on the service.
2. Create a New Gateway: Click "+ Create" to start the gateway creation process.
3. Basic Settings: Fill in the basic details:
   • Name: Give your gateway a descriptive name (e.g., AzureVNetGW).
   • Region: Choose the region where your VNet is located.
   • Gateway type: Select "VPN".
   • VPN type: Choose "Route-based".
   • SKU: Select an appropriate SKU based on your bandwidth requirements. For production environments, consider a higher-end SKU.
   • Virtual network: Select the VNet you want to connect to.
   • Gateway subnet address range: Azure will automatically create a subnet named GatewaySubnet. Ensure this subnet has enough IP addresses.
   • Public IP address: Create a new public IP address. Give it a name (e.g., AzureVNetGW-PublicIP).
4. Review and Create: Review your settings and click "Create". It will take some time (typically 30-45 minutes) for Azure to provision the gateway.

2. Create a Local Network Gateway in Azure

Next, you’ll create a Local Network Gateway, which represents your FortiGate firewall in Azure.

1. Navigate to Local Network Gateways: In the Azure portal, search for "Local Network Gateways" and click on the service.
2. Create a New Gateway: Click "+ Create".
3. Basic Settings: Fill in the details:
   • Name: Give your local network gateway a descriptive name (e.g., FortiGate-LNG).
   • Endpoint type: Choose "IP address".
   • IP address: Enter the public IP address of your FortiGate firewall.
   • Address spaces: Specify the on-premises network address ranges that you want to connect to Azure. For example, 192.168.0.0/16.
   • Region: Choose the same region as your VNet.
4. Review and Create: Review your settings and click "Create".

3. Create the IPSec Connection in Azure

Now, you'll create the IPSec connection between the Virtual Network Gateway and the Local Network Gateway.

1. Navigate to Connections: In the Azure portal, search for "Connections" and click on the service.
2. Create a New Connection: Click "+ Create".
3. Basic Settings: Fill in the details:
   • Name: Give your connection a descriptive name (e.g., FortiGate-to-Azure-Conn).
   • Connection type: Choose "Site-to-site (IPSec)".
   • Virtual network gateway: Select the Virtual Network Gateway you created earlier.
   • Local network gateway: Select the Local Network Gateway you created.
   • Shared key (PSK): Enter a pre-shared key. This key must match the one you configure on the FortiGate firewall. Make sure it's strong and secure!
   • IPSec/IKE policy: Choose "Custom" to specify your own IPSec parameters or select a pre-defined policy if it meets your requirements.
4. IPSec/IKE Policy (Custom): If you choose "Custom", configure the following:
   • IKE Phase 1 parameters: Select the appropriate encryption, integrity, DH group, and SA lifetime settings. Ensure these match the settings you'll configure on the FortiGate.
   • IKE Phase 2 parameters: Select the appropriate encryption, integrity, PFS group, and SA lifetime settings. Again, these must match the FortiGate configuration.
5. Review and Create: Review your settings and click "Create".

4. Configure the FortiGate Firewall

Now, switch over to your FortiGate firewall and configure the IPSec tunnel on that end.

1. Log into the FortiGate: Access your FortiGate's web interface or CLI.
2. Create a New VPN Tunnel: Navigate to VPN > IPSec > Wizard.
3. Tunnel Settings: Configure the tunnel settings:
   • Name: Give your tunnel a descriptive name (e.g., Azure-to-FortiGate-Tunnel).
   • Template type: Choose "Custom".
   • Interface: Select the interface connected to the internet (usually wan1).
   • Remote Gateway: Select "Static IP Address" and enter the public IP address of your Azure Virtual Network Gateway.
   • IP Address: Enter the public IP address of the Azure Virtual Network Gateway.
   • Pre-shared Key: Enter the same pre-shared key you configured in Azure. Double-check to ensure they match!
4. Authentication: Configure the authentication settings:
   • IKE Version: Select the IKE version you configured in Azure (usually IKEv2).
   • Encryption: Select the encryption algorithm you configured in Azure (e.g., AES256).
   • Authentication: Select the authentication algorithm you configured in Azure (e.g., SHA256).
   • DH Group: Select the Diffie-Hellman group you configured in Azure (e.g., Group 14).
5. Phase 2 Selectors: Configure the Phase 2 selectors:
   • Protocol: Typically ESP.
   • Encryption: Select the encryption algorithm you configured in Azure (e.g., AES256).
   • Authentication: Select the authentication algorithm you configured in Azure (e.g., SHA256).
   • PFS: Select the Perfect Forward Secrecy group you configured in Azure (e.g., Group 14).
   • Local Address: Specify the local network address range behind your FortiGate (e.g., 192.168.0.0/16).
   • Remote Address: Specify the Azure VNet address range (e.g., 10.0.0.0/16).
6. Create Static Route: Create a static route on the FortiGate to direct traffic destined for the Azure VNet through the IPSec tunnel. This involves navigating to Network > Static Routes and adding a new route with the Azure VNet as the destination and the IPSec tunnel as the gateway.

5. Create Firewall Policies on FortiGate

To allow traffic to flow through the tunnel, you need to create appropriate firewall policies on your FortiGate.

1. Create a Policy for Outbound Traffic: Create a policy that allows traffic from your internal network to the Azure VNet. Navigate to Policy & Objects > Firewall Policy and create a new policy with the source interface as your internal network, the destination interface as the IPSec tunnel, and the destination address as the Azure VNet subnet.
2. Create a Policy for Inbound Traffic: Create a policy that allows traffic from the Azure VNet to your internal network. Create a policy with the source interface as the IPSec tunnel, the destination interface as your internal network, and the source address as the Azure VNet subnet.

6. Verify the Connection

After completing the configuration, it's crucial to verify that the IPSec tunnel is up and running.

1. Check Azure Portal: In the Azure portal, navigate to your Connection resource and check the connection status. It should show as "Connected".
2. Check FortiGate: On the FortiGate, go to VPN > IPSec Monitor. You should see the tunnel listed and active. You can also use the CLI command get vpn ipsec tunnel name <tunnel_name> to get detailed status information.
3. Test Connectivity: Ping a VM in the Azure VNet from a host on your on-premises network, and vice versa. This will confirm that traffic can flow through the tunnel.

7. Troubleshooting Tips

If you encounter issues, here are some troubleshooting tips:

• Verify Pre-shared Keys: Ensure the pre-shared keys match exactly on both the Azure and FortiGate sides.
• Check IPSec Parameters: Double-check that the encryption, authentication, and DH group settings are identical on both sides.
• Firewall Rules: Ensure that your firewall rules on both the FortiGate and Azure Network Security Groups (NSGs) are allowing the necessary traffic.
• Routing: Verify that your routing tables on both sides are correctly configured to route traffic through the tunnel.
• Logs: Check the logs on both the FortiGate and Azure for any error messages.

Advanced Configurations

BGP (Border Gateway Protocol)

For more dynamic and resilient routing, consider configuring BGP over the IPSec tunnel. This involves enabling BGP on both the Azure Virtual Network Gateway and the FortiGate, and configuring the appropriate BGP peers and AS numbers.

Policy-Based vs. Route-Based VPNs

• Route-Based VPNs: Use routing tables to direct traffic through the tunnel, which is generally more flexible and scalable.
• Policy-Based VPNs: Use specific policies to define which traffic should go through the tunnel. This can be simpler to set up but less flexible for complex environments.

Multiple Subnets

If you have multiple subnets in your Azure VNet or on your on-premises network, make sure to include all relevant address ranges in your Local Network Gateway and Phase 2 selectors.

Conclusion

Setting up an IPSec tunnel between a FortiGate firewall and Azure requires careful configuration on both ends, but it’s definitely manageable. By following these steps and paying close attention to the details, you can create a secure and reliable connection between your on-premises network and Azure. Always remember to double-check your settings, especially the pre-shared keys and IPSec parameters, to avoid common pitfalls. Good luck, and happy networking!