Fortinet black logo

AliCloud Administration Guide

Connecting a local FortiGate to an AliCloud VPC VPN

Copy Link
Copy Doc ID 277ff5c4-41cb-11e9-94bf-00505692583a:845951
Download PDF

Connecting a local FortiGate to an AliCloud VPC VPN

This recipe provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AliCloud VPC VPN via IPsec with static routing.

Instances that you launch into an AliCloud VPC can communicate with your own remote network via a site-to-site VPN between your on-premise FortiGate-And AliCloud VPC VPN. You can enable access to your remote network from your VPC by configuring a VPN gateway and customer gateway to the VPC, then configuring the site-to-site VPC VPN.

The following prerequisites must be met for this configuration:

  • An AliCloud VPC with some configured subnets, routing tables, security group rules, and so on
  • An on-premise FortiGate with an external IP address

This recipe consists of the following steps:

  1. Create a VPN gateway.
  2. Create a customer gateway.
  3. Create a site-to-site VPN connection on AliCloud.
  4. Configure the on-premise FortiGate.
  5. Run diagnose commands.
To create a VPN gateway:
  1. In the AliCloud management console, go to VPN > VPN Gateways.
  2. Click Create VPN Gateway.
  3. Create a virtual private gateway and attach it to the VPC from which you want to create the site-to-site VPN connection.

To create a customer gateway:

This example refers to the on-premise FortiGate for the VPC VPN to connect to as the customer gateway.

  1. Go to VPN > Customer Gateways.
  2. Click Create Customer Gateway.
  3. Configure the customer gateway as shown:

To create a site-to-site VPN connection on AliCloud:
  1. Go to VPN > IPsec Connections.
  2. Click Create IPsec Connection.
  3. Create an IPsec connection between the VPN and customer gateways.
  4. Under Actions, click Download Configuration.

  5. Note the IPsec-related parameters. You will use these parameters to configure the on-premise FortiGate in the next step:

    { "LocalSubnet": "0.0.0.0/0", "RemoteSubnet": "0.0.0.0/0", "IpsecConfig": { "IpsecPfs": "group2", "IpsecEncAlg": "aes", "IpsecAuthAlg": "sha1", "IpsecLifetime": 86400 }, "Local": "x.x.x.x", "Remote": "47.88.4.89", "IkeConfig": { "IkeAuthAlg": "sha1", "LocalId": "x.x.x.x", "IkeEncAlg": "aes", "IkeVersion": "ikev1", "IkeMode": "main", "IkeLifetime": 86400, "RemoteId": "47.88.4.89", "Psk": "xxxxxxxxxxxxxxxx", "IkePfs": "group2" } }

To configure the on-premise FortiGate:
  1. In the FortiOS CLI, configure the on-premise FortiGate with the above IPsec-related parameters. When setting remote-gw and psksecret, use the values found for RemoteId and Psk above, respectively. The example on-premise FortiGate uses port9 as its external interface:

    config vpn ipsec phase1-interface edit "AliCloudVPN" set interface "port9" set keylife 86400 set peertype any set net-device enable set proposal aes128-sha1 set dhgrp 14 2 set remote-gw 47.88.4.89 set psksecret xxxxxxxxxxxxxxxx next end config vpn ipsec phase2-interface edit "AliCloudVPN" set phase1name "AliCloudVPN" set proposal aes128-sha1 set dhgrp 14 2 set keepalive enable set keylifeseconds 3600 next end config firewall address edit "AliCloudVPN-local-subnet-1" set allow-routing enable set subnet 10.6.30.0 255.255.255.0 next end config firewall address edit "AliCloudVPN-remote-subnet-1" set allow-routing enable set subnet 10.0.1.0 255.255.255.0 next end config router static edit 2 set device "AliCloudVPN" set dstaddr "AliCloudVPN-remote-subnet-1" next end config firewall policy edit 10 set name "AliCloudVPN-local-ali" set srcintf "mgmt1" set dstintf "AliCloudVPN" set srcaddr "AliCloudVPN-local-subnet-1" set dstaddr "AliCloudVPN-remote-subnet-1" set action accept set schedule "always" set service "ALL" next edit 20 set name "AliCloudVPN-ali-local" set srcintf "AliCloudVPN" set dstintf "mgmt1" set srcaddr "AliCloudVPN-remote-subnet-1" set dstaddr "AliCloudVPN-local-subnet-1" set action accept set schedule "always" set service "ALL" next end

  2. If the IPsec tunnel does not appear automatically, run the diagnose vpn tunnel up AliCloudVPN command.
  3. In the FortiOS GUI, go to VPN > IPsec Tunnels. Verify that the tunnel is up. The on-premise FortiGate can now access the AliCloud VM with its private IP address. The AliCloud VM can also access the on-premise FortiGate with its private IP address.

To run diagnose commands:
FGT600D_B # diagnose vpn ike gateway list
vd: root/0
name: AliCloudVPN
version: 1
interface: port9 10
addr: 172.16.200.212:4500 -> 47.88.4.89:4500
created: 1087s ago
nat: me peer
IKE SA: created 1/1  established 1/1  time 9110/9110/9110 ms
IPsec SA: created 1/2  established 1/1  time 30/30/30 ms

  id/spi: 0 d9d4ae9111a51b0b/de39f4ac9deffc18
  direction: initiator
  status: established 1087-1078s ago = 9110ms
  proposal: aes128-sha1
  key: 9bf9b58431949e77-a0c21ded48368db1
  lifetime/rekey: 28800/27421
  DPD sent/recv: 00000000/00000000

FGT600D_B # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=AliCloudVPN ver=1 serial=1 172.16.200.212:4500->47.88.4.89:4500 dst_mtu=1500
bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1

proxyid_num=1 child_num=0 refcnt=14 ilast=1084 olast=270 ad=/0
stat: rxp=1 txp=43 rxb=16452 txb=4389
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=AliCloudVPN proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=6 options=10227 type=00 soft=0 mtu=1422 expire=2399/0B replaywin=2048
       seqno=2c esn=0 replaywin_lastseq=00000001 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=3298/3600
  dec: spi=ac5426a9 esp=aes key=16 417b83810bf1f17b30e8b0974716d37d
       ah=sha1 key=20 a3e1d5ca5d85907a35c7720e9c640d0fafbb0ee3
  enc: spi=c999e156 esp=aes key=16 837b20f727c957f700f6c89acbb9e9a9
       ah=sha1 key=20 7f4634601d6962575c00761f7270d36a683c3d65
  dec:pkts/bytes=1/16376, enc:pkts/bytes=43/7648
  npu_flag=03 npu_rgwy=47.88.4.89 npu_lgwy=172.16.200.212 npu_selid=0 dec_npuid=1 enc_npuid=1

Connecting a local FortiGate to an AliCloud VPC VPN

This recipe provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AliCloud VPC VPN via IPsec with static routing.

Instances that you launch into an AliCloud VPC can communicate with your own remote network via a site-to-site VPN between your on-premise FortiGate-And AliCloud VPC VPN. You can enable access to your remote network from your VPC by configuring a VPN gateway and customer gateway to the VPC, then configuring the site-to-site VPC VPN.

The following prerequisites must be met for this configuration:

  • An AliCloud VPC with some configured subnets, routing tables, security group rules, and so on
  • An on-premise FortiGate with an external IP address

This recipe consists of the following steps:

  1. Create a VPN gateway.
  2. Create a customer gateway.
  3. Create a site-to-site VPN connection on AliCloud.
  4. Configure the on-premise FortiGate.
  5. Run diagnose commands.
To create a VPN gateway:
  1. In the AliCloud management console, go to VPN > VPN Gateways.
  2. Click Create VPN Gateway.
  3. Create a virtual private gateway and attach it to the VPC from which you want to create the site-to-site VPN connection.

To create a customer gateway:

This example refers to the on-premise FortiGate for the VPC VPN to connect to as the customer gateway.

  1. Go to VPN > Customer Gateways.
  2. Click Create Customer Gateway.
  3. Configure the customer gateway as shown:

To create a site-to-site VPN connection on AliCloud:
  1. Go to VPN > IPsec Connections.
  2. Click Create IPsec Connection.
  3. Create an IPsec connection between the VPN and customer gateways.
  4. Under Actions, click Download Configuration.

  5. Note the IPsec-related parameters. You will use these parameters to configure the on-premise FortiGate in the next step:

    { "LocalSubnet": "0.0.0.0/0", "RemoteSubnet": "0.0.0.0/0", "IpsecConfig": { "IpsecPfs": "group2", "IpsecEncAlg": "aes", "IpsecAuthAlg": "sha1", "IpsecLifetime": 86400 }, "Local": "x.x.x.x", "Remote": "47.88.4.89", "IkeConfig": { "IkeAuthAlg": "sha1", "LocalId": "x.x.x.x", "IkeEncAlg": "aes", "IkeVersion": "ikev1", "IkeMode": "main", "IkeLifetime": 86400, "RemoteId": "47.88.4.89", "Psk": "xxxxxxxxxxxxxxxx", "IkePfs": "group2" } }

To configure the on-premise FortiGate:
  1. In the FortiOS CLI, configure the on-premise FortiGate with the above IPsec-related parameters. When setting remote-gw and psksecret, use the values found for RemoteId and Psk above, respectively. The example on-premise FortiGate uses port9 as its external interface:

    config vpn ipsec phase1-interface edit "AliCloudVPN" set interface "port9" set keylife 86400 set peertype any set net-device enable set proposal aes128-sha1 set dhgrp 14 2 set remote-gw 47.88.4.89 set psksecret xxxxxxxxxxxxxxxx next end config vpn ipsec phase2-interface edit "AliCloudVPN" set phase1name "AliCloudVPN" set proposal aes128-sha1 set dhgrp 14 2 set keepalive enable set keylifeseconds 3600 next end config firewall address edit "AliCloudVPN-local-subnet-1" set allow-routing enable set subnet 10.6.30.0 255.255.255.0 next end config firewall address edit "AliCloudVPN-remote-subnet-1" set allow-routing enable set subnet 10.0.1.0 255.255.255.0 next end config router static edit 2 set device "AliCloudVPN" set dstaddr "AliCloudVPN-remote-subnet-1" next end config firewall policy edit 10 set name "AliCloudVPN-local-ali" set srcintf "mgmt1" set dstintf "AliCloudVPN" set srcaddr "AliCloudVPN-local-subnet-1" set dstaddr "AliCloudVPN-remote-subnet-1" set action accept set schedule "always" set service "ALL" next edit 20 set name "AliCloudVPN-ali-local" set srcintf "AliCloudVPN" set dstintf "mgmt1" set srcaddr "AliCloudVPN-remote-subnet-1" set dstaddr "AliCloudVPN-local-subnet-1" set action accept set schedule "always" set service "ALL" next end

  2. If the IPsec tunnel does not appear automatically, run the diagnose vpn tunnel up AliCloudVPN command.
  3. In the FortiOS GUI, go to VPN > IPsec Tunnels. Verify that the tunnel is up. The on-premise FortiGate can now access the AliCloud VM with its private IP address. The AliCloud VM can also access the on-premise FortiGate with its private IP address.

To run diagnose commands:
FGT600D_B # diagnose vpn ike gateway list
vd: root/0
name: AliCloudVPN
version: 1
interface: port9 10
addr: 172.16.200.212:4500 -> 47.88.4.89:4500
created: 1087s ago
nat: me peer
IKE SA: created 1/1  established 1/1  time 9110/9110/9110 ms
IPsec SA: created 1/2  established 1/1  time 30/30/30 ms

  id/spi: 0 d9d4ae9111a51b0b/de39f4ac9deffc18
  direction: initiator
  status: established 1087-1078s ago = 9110ms
  proposal: aes128-sha1
  key: 9bf9b58431949e77-a0c21ded48368db1
  lifetime/rekey: 28800/27421
  DPD sent/recv: 00000000/00000000

FGT600D_B # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=AliCloudVPN ver=1 serial=1 172.16.200.212:4500->47.88.4.89:4500 dst_mtu=1500
bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1

proxyid_num=1 child_num=0 refcnt=14 ilast=1084 olast=270 ad=/0
stat: rxp=1 txp=43 rxb=16452 txb=4389
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=AliCloudVPN proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=6 options=10227 type=00 soft=0 mtu=1422 expire=2399/0B replaywin=2048
       seqno=2c esn=0 replaywin_lastseq=00000001 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=3298/3600
  dec: spi=ac5426a9 esp=aes key=16 417b83810bf1f17b30e8b0974716d37d
       ah=sha1 key=20 a3e1d5ca5d85907a35c7720e9c640d0fafbb0ee3
  enc: spi=c999e156 esp=aes key=16 837b20f727c957f700f6c89acbb9e9a9
       ah=sha1 key=20 7f4634601d6962575c00761f7270d36a683c3d65
  dec:pkts/bytes=1/16376, enc:pkts/bytes=43/7648
  npu_flag=03 npu_rgwy=47.88.4.89 npu_lgwy=172.16.200.212 npu_selid=0 dec_npuid=1 enc_npuid=1