Azure VPN Tunnel Troubleshooting

Hello :slight_smile: I am having issues setting up the Azure VPN tunnel from my fortigate to my Azure Network. Keep in mind i am not great with networking, i have a very basic surface level understanding of all this.

Note : The tunnel on the FortiGate is UP, it shows as Connected in Azure under my connections. Although there seems to be no traffic passing at all.

Network setup :

Internet → Fizz Router → FortiGate → Laptop I’m trying to domain join via the Gate

The Fizz router has IPsec passthrough enabled, it also has ports 500 and 4500 configured in port forwarding. I am not sure if i need to create a static route on my Fizz router to enable the traffic.

WAN port from the fortigate is connected to Fizz router and is receiving IP 192.168.0.13 | My LAN ports on the fortigate are configured to 10.1.3.1/255.255.255.0

I know that the virtual gateway in azure works because there are 2 other connections in the azure portal showing as connected. Created a seperate local network gateway with address space 10.1.3.0/24 with an FQDN that points to the public IP address of my fizz router. (Not the Fortigate)

I double checked the encryption settings on for the fortigate to match the settings on Azure and they both look good. I also made sure i have my static route set on my fortigate to point to the address range of the Azure network.

Im not sure where to go from here to proceed. Do i need to create a static route on my fizz router to point to the virtual gateway since it is in front of my fortigate ? If so what destination IP and Gateway IP do i need to provide ?

Im sure im missing something somewhere as the tunnel shows up and working, but no succesful traffic.

Thank you to anyone who is able to point me in the right direction.

Your policies need to reference the IPsec interface as the source and your chosen lan interface or lan interfaces as destination. Additionally, you’ll need to allow your lan interface as a source to the IPsec tunnel interface as the destination. Which sounds like you have this piece. Since your gate is behind the router you most likely need to enable nat traversal which is in your IPsec tunnel network section of the config.

Have you created the firewall policy to allow the traffic yet? it will show connected even if there is no policy, but no traffic will flow so it can be a bit confusing just going off the tunnel status. Also make sure you have the correct subnets under your local network gateway in azure.

Nat traversal is generally the culprit for preventing traffic to pass on an “established” tunnel when behind a router.

and I dont know anything about Fizz routers, but you should just need a static route that forces traffic going to your azure subnet to use the tunnel interface

The policies have been created, although they are from the LAN interface to the AzureVPN (to and from). Should those policies be set on the WAN interface (to and from) , since that is the one connected to the Fizz Router ?

For the static route on the router, what would my destination IP be and my Gateway IP be ?

Sorry if i am missunderstanding

Would i need to define the local Gateway address in the ipsec settings to point to the default gateway of my home router ?