![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 91%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETE%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,803 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Thank you for reaching out.
I understand it correctly you have a FortiGate at your on-prem that connects to Azure using site-site VPN. You also have an IPsec tunnel for remote access to your sites. Everything works fine, except for accessing Azure resources from home. You want to connect from home to FortiGate via IPsec, then to Azure via the site-to-site VPN you have.
Before we proceed to troubleshooting steps.
For the requirements above, we have seen customers usually implement the network design in the following manner.
Where the users at home connect to Azure using Point-2-Site VPN and are able to access both Azure as well as on-prem resources. This scenario is explained briefly here.
You can refer to this scenario to help with routing.
If the architecture above does not satisfy your requirements, you can follow the troubleshooting steps below in order to pin-point the issue.
- Check the routes learned by the Azure VPN gateway and see if the expected routes are present. If there is a VM present on Azure VNET then you can also check the effective routes as shown here and see if the routes are propagated correctly
- Configure packet capture for your Azure VPN Gateway in order to determine if packets are received by the VPN Gateway. You can also perform a packet capture on your FortiGate firewall to determine if this is an on-prem issue.
- Validate if there are no overlapping IP addresses used.
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.