Cannot access network inside VNET from On-Premise via S2S VPN between Azure and Fortigate

Question

Cannot access network inside VNET from On-Premise via S2S VPN between Azure and Fortigate

Mackoy Camisera 1

Please help,
I can access On-Prem from Azure but I cannot access Azure from On-Prem.

Azure
172. 16.0.0/21 - Address space
172. 16.1.0/24 - Subnet
172. 16.0.0/24 - GW Subnet

NSG in Azure
ICMP and RDP are Any Any Any Allow

VM in Azure
All firewalls are disabled

On-Prem / Fortigate
PPPoE - WAN
192. 168.1.0/24 - LAN

Thank you in advance

GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2022-10-17T15:28:46.663+00:00

Hello @Mackoy Camisera ,

Could you please share the below details for further troubleshooting of this issue?

1) What is the VPN type of your Azure VPN gateway? Is it Route based or policy based?
2) Do you have any UDR or NSGs on your VPN gateway subnet?

Regards,
Gita
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2022-10-19T09:14:24.283+00:00

Hello @Mackoy Camisera ,

Could you please provide an update on this post and share the above requested details?

Regards,
Gita

2 answers

Your answer

GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2022-10-17T15:28:46.663+00:00

Hello @Mackoy Camisera ,

Could you please share the below details for further troubleshooting of this issue?

1) What is the VPN type of your Azure VPN gateway? Is it Route based or policy based?
2) Do you have any UDR or NSGs on your VPN gateway subnet?

Regards,
Gita
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2022-10-19T09:14:24.283+00:00

Hello @Mackoy Camisera ,

Could you please provide an update on this post and share the above requested details?

Regards,
Gita

Answer 1

Jackson Martins 10,606 MVP Volunteer Moderator

Hi @Mackoy Camisera
Will start with couple of questions to get more clarity on your setup

Azure to On-premise communication are you testing pinging the Fortigate LAN? something like 192.168.1.1 or is it communicating with some internal server such as 192.168.1.10?

Are you pinging from the LAN behind the firewall, or are you trying to ping from the firewall?

As I understand it so far, if phase 1 and phase 2 communication has been established, then the networks must be correct.

If the communication works from the firewall (192.168.1.1) but not from the local network, your firewall may be missing a nat or route.

Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2022-09-29T23:03:21.56+00:00

On your network configuration on IPSEC you put all networks?

172.16.1.0/24 and 172.16.0.0/21?
Mackoy Camisera 1 Reputation point

2022-09-30T15:01:13.867+00:00
Hi @Jackson Martins

Sorry for late reply and thank you for answering my query.

Azure to On-premise communication are you testing pinging the Fortigate LAN? something like 192.168.1.1 or is it communicating with some internal server such as 192.168.1.10? Yes and all the devices on 192.168.1.0/24 network can access from Azure to On-premise communication

Are you pinging from the LAN behind the firewall, or are you trying to ping from the firewall? Both, and unfortunately it has both outcome.

As I understand it so far, if phase 1 and phase 2 communication has been established, then the networks must be correct. Yes i follow the correct info from Fortigate and Azure

If the communication works from the firewall (192.168.1.1) but not from the local network, your firewall may be missing a nat or route. What do you mean? can you elaborate more please?

On your network configuration on IPSEC you put all networks?

172.16.1.0/24 and 172.16.0.0/21?

How to setup this? Thanks
Mackoy Camisera 1 Reputation point

2022-10-06T16:19:31.21+00:00

Hi Guys,

Any help on this.? Additional details.

Ping from Firewall (Fortigate)

Tracert from LAN

IPsec Monitor details

IPv4 Policy

Thanks

Answer 2

Timmy Malmgren 1,521

Hi,

Is it correct that your S2S VPN is established and that your Azure VM on the VNET can access resources on the on-prem but resources on the on-prem cannot reach the VNET?

Or is it that the Fortigate cant connect to the Azure VPN gateway?

If you can reach the on-prem resources from your Azure VM but not the Azure VM from the on-prem, might it be an on-prem routing issue?
Have you configured routing for the Azure address spaces on-prem to go through the Local gateway (Fortigate)?

This link might provide further assistance to see if you missed anything during setup.

https://learn.microsoft.com/en-us/microsoft-365/enterprise/connect-an-on-premises-network-to-a-microsoft-azure-virtual-network?view=o365-worldwide

Kind Regards Timmy

Mackoy Camisera 1 Reputation point

2022-09-29T21:48:59.26+00:00

Hi Timmy,

Thank you for answering my query.

Is it correct that your S2S VPN is established and that your Azure VM on the VNET can access resources on the on-prem but resources on the on-prem cannot reach the VNET? YES this is correct.

Have you configured routing for the Azure address spaces on-prem to go through the Local gateway (Fortigate)?
Yes, i have configure static route and 2 policy route. The IPSEC tunnel in Fortigate shows connected also.

I don't know what I'm missing here.

Share via

Cannot access network inside VNET from On-Premise via S2S VPN between Azure and Fortigate

2 answers

Your answer