Share via

Site-to-Site VPN with a peer over dynamically assigned name

Cloud_Geek_82 831 Reputation points
2024-07-23T22:41:44.3466667+00:00

Hi All,

There is an office that uses FortiGate as a router.

There is a site-to-site VPN tunnel between Azure and that office.

The office has a modem connected to the FortiGate router with 4G connection and when their primary connection is down the router fails over to the modem.

Because Site-to-Site VPN between resources in Azure and the on-prem network is vital for business apps when the FortiGate fails over to the 4G modem there should be also a VPN tunnel over that modem.

When the FortiGate fails over to 4G modem it is assigned a non-routable IP address 1.XXX.XXX.XXX and for this reason DynDNS service is used to associate 1.XXX.XXX.XXX with a DNS name.

Below are the screenshot of Azure side and on-prem side VPN configuration.

vpnonprem1

vpnonprem2

vpnonprem3

vpnonprem4

vpnonprem5

dyndns

vpnazure1

vpnazure2

Both Azure and FortiGate configuration for VPN over 4G were copied from working VPN configuration over primary WAN connection.

If someone has experience with Azure Site-to-Site VPN over 4G please advise if something is wrong in my configuration (1st screenshot).

Thanks in advance.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,463 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,311 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 41,721 Reputation points Microsoft Employee
    2024-07-24T05:26:29.5233333+00:00

    @Cloud_Geek_82 ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    Looking at the screenshots, it appears they are related to the 3rd party (FortiGate).

    While the community members at Q&A may have expertise over Azure products, the same cannot be said for 3rd party solutions.

    I would suggest you to reach out to the third party's support team or community to get more insights into this.

    Wrt the Azure VPN Gateway configuration,

    • I take it that the OnPrem address range is "192.168.16.0/24"
    • And you are using a FQDN as remote IP Address (Modem's IP)
    • These look fine

    Only thing I find confusing is

    • "non-routable IP address 1.XXX.XXX.XXX"
    • Can you please elaborate - as this could be some term related to the 3rd party
      • If so, you can ignore the consecutive points
    • However, by "non-routable" if you mean this IP cannot be reached over Internet
      • Then how will Azure be able to establish a S2S Connection ?
      • Note that the S2S Tunnel is built over Internet and we expect the FQDN to be resolvable and the resolved remote IP Address reachable over Internet.

    The best way to verify this would be to

    • Have a planned maintenance and try the failover
    • You can leverage the Azure VPN Gateway diagnostic logs, especially "TunnelDiagnosticLog" and "IKEDiagnosticLog" to understand if there are any issue

    Hope this clarifies

    Cheers,

    Kapil.