Set up an IPSEC VPN site-to-site between FortiGate on-prem and Microsoft Azure

This is a diagram that I have used for the lab. I have used the same topology to deploy VPN site to site between Azure and Palo Alto firewall on-prem ( Basically I removed the Palo Alto firewall and put FortiGate in the diagram.

Create a new virtual network is Azure-PA.

Change default network to PrivateSubnet is

A subnet address range is

Click Create.

Create a new subnet.

A subnetwork address range is

Go to “Virtual network gateway” to create a new virtual network gateway.

Virtual network: Azure-PA.

Subnet: Gatewaysubnet

Public IP address name: VPNIP

Click Create.

Wait around from 20 to 30 minutes to see if the Deployment will be done.

Go to “Local network gateway” and create a new local network gateway.

An IP address is a public IP address of the Palo Alto firewall.

Address space is Palo Alto’s LAN subnets.

Clock create.

Go to “Virtual network gateways”, and select the virtual network gateways that we have created in the previous step.

Go to “Connections” – Add.

Enter a shared key (PSK) for VPN site-to-site.

Take note of the IP address of Azure VPN.

On FortiGate on-prem.

Create a static default route.

Configure an IPSEC Tunnel.

Phase 1.

Phase 2.

Create a new network object for FortiGate.



Create both access rules to allow traffic from FortiGate LAN subnets to your Azure VPN private subnets. Remember “Disable NAT” on these rules.

Create a static route to allow traffic from FortiGate LAN subnets to your Azure private subnets via the IPSEC VPN site-to-site IKEv2 tunnel.

Ping from Kali machine to Windows 2016 on Azure.

The tunnel is up on FortiGate.

Ping a Kali machine on FortiGate LAN subnet from Azure.

Back to VPN2S, we can see the VPN status connection is “Connected”.