Azure - FortiGate S2S VPN - HUB VNET pings, but SPOKE VNET doesn't
Hi,
I have been trying to make a S2S VPN between an Azure VPN Gateway and a FortiGate work for over a month now. The tunnel works in a policy based mode, with the policies established in the FortiGate. The configuration on both sides is the following:
However, it doesn't look like the tunnel is misconfigured, as I can ping an endpoint behind the FortiGate from the HUB environment. The trouble comes when I try to ping that same endpoint from an SPOKE VNET. This SPOKE VNET is peered to the HUB, and the peering is properly configured in both VNETs (so that the resources from the SPOKE VNET use the Gateway in the HUB VNET).
As i said, the communication within Azure seems to be properly configured, but on the other side, the administrator of the FortiGate told and showed me they don't receive the ICMP packages I am sending, so I thought the problem still had to be on Azure. I decided to capture packets (using VPN Connection Packet Capture) in the tunnel used to connect to the FortiGate, and I got this:
Little schema about the IPs you'll see:
FortiGate's network -> 172.16.0.0/24
Azure HUB VNET network -> 10.230.0.0/24
Azure SPOKE VNET network -> 10.231.0.0/24
As you can see:
- First of all, the packets from the SPOKE VNET (Source: 10.231.0.16) are getting to the tunnel, I guess this means the peering , as well as the routing, are working correctly within Azure.
- Second, the packets from the HUB VNET (Source: 10.230.0.5) are getting a response, while the packets from the SPOKE VNET (Source: 10.231.0.16) are not.
- Third, I know the destination IPs in the image vary (.215-.216), but both IPs reference the same endpoint, so that's not the point. Also I tried the different ping combinations an it doesn't work with any of them from the SPOKE.
This images suggest that the packets are sent to the FortiGate, then dropped. However, as I said, the FortiGate doesn't receive the packets. These subnets are all accepted within the policies, the configuration has been reviewed several times and we got to this point where it just looks like the packets are getting lost on the Internet (hard to believe).
I also looked for the support on FortiGate integration, an it says the policy-based integration between Azure VPN Gateway and FortiGate has not been tested. This makes me doubt about if it is really possible to make this work. However, due to security requirements we can't afford a route-based integration.
Link with the mentioned info: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable
Looking forward to solve this as soon as possible.
Thanks in advance for any help.
Best regards,
Gorka.