# IPsec VPN to Azure with virtual network gateway

[https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway)

## Prerequisites<a name="Prerequisites"></a>

- A FortiGate with an Internet-facing IP address
- A valid Microsoft Azure account

## Sample topology<a name="Sample_topology"></a>

![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/3f59425e5a3d2d480af56f8f3ffd0ed8_Topology.png)

## Sample configuration<a name="Sample_configuration"></a>

This sample configuration shows how to:

1. [Configure an Azure virtual network](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To).
2. [Specify the Azure DNS server](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To2).
3. [Configure the Azure virtual network gateway](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To3).
4. [Configure the Azure local network gateway](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To4).
5. [Configure the FortiGate tunnel](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To5).
6. [Create the Azure firewall object](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To6).
7. [Create the FortiGate firewall policies](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To7).
8. [Create the FortiGate static route](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To8).
9. [Create the Azure site-to-site VPN connection](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To9).
10. [Check the results](https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/255100/ipsec-vpn-to-azure-with-virtual-network-gateway#To10).

###### <a name="To"></a>To configure an Azure virtual network:

1. Log in to Azure and click *New*.
2. In *Search the Marketplace*, type *Virtual network*.
3. Click *Virtual network* to open the *Virtual network* pane. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/ab2c12e085d4d6464b1a2e245982e836_1a.Vnet.png)
4. At the bottom of the *Virtual network* pane, click the *Select a deployment model* dropdown list and select *Resource Manager*.
5. Click *Create*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/f642bf6f0d6b572a788a4f329a26e5fe_1b.Create%20Resource%20Manager.png)
6. On the *Create virtual network* pane, enter you virtual network settings, and click *Create*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/98261ee1b16b89602aeb79cd358f93d6_1c.Create%20Vnet.png)

###### <a name="To2"></a>To specify the Azure DNS server:

1. Open the virtual network you just created.
2. Click *DNS servers* to open the *DNS servers* pane.
3. Enter the IP address of the DNS server and click *Save*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/bbb8093059d3451bc6d85b6bee644699_2.DNS%20server.png)

###### <a name="To3"></a>To configure the Azure virtual network gateway:

1. In the portal dashboard, go to *New*.
2. Search for *Virtual Network Gateway* and click it to open the *Virtual network gateway* pane. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/45f72e6157e537f41c3f73ccc0f2fd21_3a.Vnet%20gateway%20list.png)
3. Click *Create Virtual network gateways* and enter the settings for your virtual network gateway. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/60ddbebf4cd9f08af602b4302fcd6ef9_3b.Create%20vnet%20gateway.png)
4. If needed, create a Public IP address. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/12a535332245dfbb6acd664506bc99f5_3c.Public%20IP.png)
5. Click *Create*. Creating the virtual network gateway might take some time. When the provisioning is done, you'll receive a notification.
    
    ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/7e14ed64ba01251e2568255a23c971ab_3d.Notification.png)

###### <a name="To4"></a>To configure the Azure local network gateway:

1. In the portal dashboard, click *All resources*.
2. Click *Add* and then click *See all*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/418c03ef25c9d9f317305c3550634d12_4a.Add.png)
3. In the *Everything* pane, search for *Local network gateway* and then click *Create local network gateway*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/5bc5f1095e7810b596123ea22d6ccf02_4b.Create%20local%20gateway.png)
4. For the *IP address*, enter the local network gateway IP address, that is, the FortiGate's external IP address. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/3486b6776dd2c6390b019dc31a5b0abf_4c.IP%20address.png)
5. Set the remaining values for your local network gateway and click *Create*.

###### <a name="To5"></a>To configure the FortiGate tunnel:

1. In the FortiGate, go to *VPN &gt; IP Wizard*.
2. Enter a *Name* for the tunnel, click *Custom*, and then click *Next*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/99992c6281260a48ba05829c5a8efa4b_5a.IPsec%20Wizard-1.png)
3. Configure the *Network* settings. 
    - For *Remote Gateway*, select *Static IP Address* and enter the IP address provided by Azure.
    - For *Interface*, select *wan1*.
    - For *NAT Traversal*, select *Disable*,
    - For *Dead Peer Detection*, select *On Idle*.
    - In the Authentication section, select
4. Configure the *Authentication* settings. 
    - For *Method*, select *Pre-shared Key* and enter the *Pre-shared Key*.
    - For *IKE*, select *2*.
    
    ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/6d6ac0180a21ac235324fd5ba7c4e7a7_5b.Network%20settings.png)
5. Configure the *Phase 1 Proposal* settings. 
    - Set the Encryption and Authentication combination to the three supported encryption algorithm combinations accepted by Azure. 
        - AES256 and SHA1
        - 3DES and SHA1
        - AES256 and SHA256
    - For *Diffie-Hellman Groups*, select *2*.
    - Set *Key Lifetime (seconds)* to *28800*.
    
    ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/695e47f565d92c8195cefe6af5a2c5aa_5c.Phase1%20settings.png)
6. In *Phase 2 Selectors*, expand the *Advanced* section to configure the *Phase 2 Proposal* settings. 
    - Set the Encryption and Authentication combinations. 
        - AES256 and SHA1
        - 3DES and SHA1
        - AES256 and SHA256
    - Uncheck *Enable Perfect Forward Secrecy (PFS)*.
    - Set *Key Lifetime (seconds)* to *27000*.
    
    ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/bd6aea44fcd49638975c3bb08b0e65b0_5d.Phase2%20settings.png)
7. Click *OK*.

###### <a name="To6"></a>To create the Azure firewall object:

1. In the FortiGate, go to *Policy &amp; Objects &gt; Addresses*.
2. Create a firewall object for the Azure VPN tunnel.

###### <a name="To7"></a>To create the FortiGate firewall policies:

1. In the FortiGate, go to *Policy &amp; Objects &gt; IPv4 Policy*.
2. Create a policy for the site-to-site connection that allows outgoing traffic. 
    - Set the *Source* address and *Destination* address using the firewall objects you just created.
    - Disable *NAT*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/d1b858401fdf8d32c33bc21dfc2cf43f_7a.IPv4%20policy-1.png)
3. Create another policy that allows incoming traffic. 
    - For this policy, reverse the *Source* address and *Destination* address. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/d876f1aa7d99222fbabc59a147835cce_7b.IPv4%20policy-2.png)
4. We recommend limiting the TCP maximum segment size (MSS) being sent and received so as to avoid packet drops and fragmentation. To do this, use the following CLI commands on both policies.
    
    ```
    config firewall policy
       edit <policy-id>
          set tcp-mss-sender 1350
          set tcp-mss-receiver 1350
       next
    end
    ```

###### <a name="To8"></a>To create the FortiGate static route:

1. In the FortiGate, go to *Network &gt; Static Routes*.
2. Create an IPv4 Static Route that forces outgoing traffic going to Azure to go through the route-based tunnel.
3. Set the *Administrative Distance* to a value lower than the existing default route value. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/afa5990708dda19653d22cbdbcfc104c_8.Static%20route.png)

###### <a name="To9"></a>To create the Azure site-to-site VPN connection:

1. In the Azure portal, locate and select your virtual network gateway.
2. In the *Settings* pane, click *Connections* and then click *Add*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/1c708f5242d7c2f2a3ba253ef7a05446_9.Settings.png)
3. Enter the settings for your connection. Ensure the *Shared Key (PSK)* matches the *Pre-shared Key* for the FortiGate tunnel.

###### <a name="To10"></a>To check the results:

1. In the FortiGate, go to *Monitor &gt; IPsec Monitor*. 
    - Check that the tunnel is up. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/6278467ff1642e45ce8ab18cb4879f5b_10.Result1.png)
    - If the tunnel is down, right-click the tunnel and select *Bring Up*. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/737bdad38477f87657ef984fce4e6b64_10.Result2.png)
2. In the FortiGate, go to *Log &amp; Report &gt; Events*. 
    - Select an event to view more information and verify the connection.
3. In the Azure portal dashboard, click *All resources* and locate your virtual network gateway. 
    1. In your virtual network gateway pane, click *Connections* to see the status of each connection. ![](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/30be976a-bbb3-11ee-8673-fa163e15d75b/images/1c708f5242d7c2f2a3ba253ef7a05446_9.Settings.png)
    2. Click a connection to open the *Essentials* pane to view more information about that connection. 
        - If the connection is successful, the *Status* shows *Connected*.
        - See the *ingress* and *egress* bytes to confirm traffic flowing through the tunnel.