After enabling VPN NAT (Ingress 10.31.194.177→10.0.0.4) on VpnGw2, S2S connection VNet1toSite1 stays at “Unknown”; no Phase 2 established.

Question

We have an Azure site-to-site VPN connection “VNet1toSite1” between an on-prem FortiGate (public IP x.x.x.x) and an Azure VPN gateway “vng-customer-pro” (SKU VpnGw2). The goal is to publish the VM 10.0.0.4 to the customer as 10.31.194.177 using VPN NAT.

Current Azure settings • NAT rule NAT-Ingress-VM (IngressSnat) ⇒ inside 10.0.0.4/32, external 10.31.194.177/32 • Local Network Gateway prefixes ⇒ 10.64.128.1/32, 10.64.128.2/32 • Use policy-based traffic selectors = Off and no custom selectors • IPsec/IKE policy matches the FortiGate (IKEv2, AES-256/SHA1, DH2, lifetime 86400s)

Issue As soon as the NAT rule is added the connection status turns “Unknown” and never reaches “Connected”. The FortiGate repeatedly initiates IKE SA but Azure does not establish Phase 2; no traffic passes and the diagnostic logs show no matching selectors.

Expected The tunnel should come up with selectors 10.31.194.177/32 ⇆ 10.64.128.1/32, 10.64.128.2/32 so the customer can reach 10.31.194.177. We need assistance to determine why the connection stays in Unknown after enabling VPN NAT.

Answer 1

Hello Sergio Gallardo Sales

I understand that the connection status showing as "Unknown" and not establishing Phase 2 after enabling VPN NAT.

Here’s what you can check to troubleshoot the issue:

First, ensure that the NAT rule you've configured is correct. The ingress NAT should properly translate packets between 10.31.194.177 and 10.0.0.4. Review the inbound and outbound NAT rules to confirm they allow the necessary traffic.

Double-check that both Azure and FortiGate VPN settings are compatible, especially since you're using IKEv2 and there are no overlapping IP ranges between the on-premises network and your Azure network, as overlaps can lead to connectivity issues.

Ensure that the IPsec/IKE policy on the Azure VPN matches the FortiGate’s configuration. Slight mismatches can prevent the tunneling from establishing properly.

Make sure that the external interface of the FortiGate firewall is correctly set up and directly accessible. There should not be any NAT or firewalls interfering between the Azure gateway and the FortiGate.

Can you confirm if, without VPN NAT rules, you can directly reach the VM at 10.0.0.4 from 10.64.128.1/32 and 10.64.128.2/32, and if the connection status shows as connected?

Additionally, you can follow the below steps that can help you to further debug this issue.

1. Troubleshoot Azure VPN Gateway using diagnostic logs for VPN gateway-related events including configuration activity and VPN Tunnel connectivity. Look for IKE Diagnostics and please share with us to review the logs for the issue reported.
2. Perform a packet capture on your S2S VPN to help pinpoint this issue.

Refer this article: -
https://learn.microsoft.com/en-us/answers/questions/1289556/azure-to-fortigate-vpn-phase-2-traffic-selector-mi
https://learn.microsoft.com/en-us/answers/questions/980127/vpn-gateway-drops-tunnels-when-nat-rules-feature-e

---

Please let me know if you have any further questions or issues, so that we can connect offline to resolve your issue.

If the above information was helpful to identify the cause. Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.