I recently worked on a site-to-site VPN tunnel between a Meraki MX and a virtual Fortigate appliance in Azure. No matter what I did I could not get the tunnel up despite confirming the phase 1/2 and PSK settings multiple times. A few tricks I learned along the way that got me there:
- If you are using an HA pair of MX firewalls you must use the Virtual IP of the cluster rather than the direct Interface IP.
- Because Azure performs the NAT prior to the virtual Fortigate seeing the packets, you must set the local ID in phase one on the Fortigate to the internal RFC 1918 “external” address of the WAN port on the virtual fortunate.
- You also need to set the same value as the remote ID in the Meraki dashboard configuration
Even when you do all of that, it will not work. The missing piece was:
The Fortigate sends the Local ID as a string rather than an IP address object. You need to run the following CLI commands and then everything should fall into place:
config vpn ipsec phase1-interface
edit <vpn-name>
set localid-type address