Connecting a local FortiGate to an AWS VPC VPN
This recipe provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AWS VPC VPN via IPsec with static routing.
Instances that you launch into an Amazon VPC can communicate with your own remote network via a site-to-site VPN between your on-premise FortiGate and AWS VPC VPN. You can enable access to your remote network from your VPC by configuring a virtual private gateway (VPG) and customer gateway to the VPC, then configuring the site-to-site VPC VPN.
The following prerequisites must be met for this configuration:
- An AWS VPC with some configured subnets, routing tables, security group rules, and so on
- An on-premise FortiGate with an external IP address
This recipe consists of the following steps:
- Create a VPG.
- Create a customer gateway.
- Create a site-to-site VPN connection on AWS.
- Configure the on-premise FortiGate.
To create a VPG:
A VPG is the VPN concentrator on the Amazon side of the site-to-site VPN connection. You can create a VPG and attach it to the VPC from which you want to create the site-to-site VPN connection.
- In the AWS management console, go to Virtual Private Gateways, then click Create Virtual Private Gateway.
- In the Name tag field, enter the desired gateway name.
- For static route configuration, the ASN is not important, as the ASN is for BGP routing. By default, the VPG is created with the default ASN, 64512. You cannot change the ASN once the VPG has been created.
- After creating the VPG, select it from the list of VPGs, and click Actions > Attach to VPC.
- On the Attach to VPC page, select the ID for the desired VPC from the VPC dropdown list.
To create a customer gateway:
In this example, the customer gateway refers to the on-premise FortiGate for the VPC VPN to connect to.
- Go to Customer Gateways, then click Create Customer Gateway.
- In the Name field, enter the desired gateway name.
- For Routing, select Static.
- In the IP Address field, enter the on-premise FortiGate's external address.
To create a site-to-site VPN connection on AWS:
AWS VPC VPN supports the following:
- Internet Key Exchange version 2 (IKEv2)
- NAT traversal
- Four-byte ASN (in addition to two-byte ASN)
- Reusable IP addresses for customer gateways
- Additional encryption options including AES 256-bit encryption, SHA-2 hashing, and additional Diffie-Hellman groups
- Configurable tunnel options
- Custom private ASN for the Amazon side of a BGP session
This example describes creating an IPsec site-to-site VPN.
- Go to VPN Connections, then click Create VPN Connection.
- In the Name tag field, enter the desired VPN connection name.
- From the Virtual Private Gateway dropdown list, select the VPG ID for the VPG created earlier.
- For Routing Options, select Static.
- In the IP Prefixes field, enter the CIDR of the networks behind your on-premise FortiGate.
- Leave the tunnel options blank. You will obtain this information from a configuration file download.
To configure the on-premise FortiGate:
- After creating the VPN, select it in the VPN list, then click Download Configuration. This document contains information needed to configure the FortiGate correctly.
- You can configure the FortiGate using this downloaded configuration file. The example FortiGate has port1 with an external IP address of 35.188.119.246 and an internal IP address of 10.6.30.2/24. Port2 has an internal IP address of 10.1.100.3/24. The downloaded configuration file resembles the following. The most important information here is the
remote-gw
value, which in this case is 3.95.86.157, and thepsksecret
value.Run the following commands in the FortiOS CLI to configure the FortiGate, using the
remote-gw
andpsksecret
values from the downloaded configuration file as shown below. When setting the destination for the static route, use the VPC's IPv4 CIDR:config vpn ipsec phase1-interface
edit "examplephase1"
set interface "port1"
set keylife 28800
set peertype any
set proposal aes128-sha1
set dhgrp 2
set remote-gw 3.95.86.157
set psksecret NlITFTQJfiVuRWkQui_A5IjNT_41VTtP
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "examplephase2"
set phase1name "examplephase1"
set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 3600
next
end
config router static
edit 1
set dst 10.0.0.0 255.255.0.0
set device "examplephase1"
next
end
config firewall policy
edit 1
set srcintf "examplephase1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "port2"
set dstintf "examplephase1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
- Run the
diagnose vpn tunnel up examplephase2
command if the tunnel is not up automatically already. - Check in the FortiOS GUI in VPN > IPsec Tunnels that the tunnel is up.
- In the AWS management console, check that the tunnel is up:
- After the tunnel is up, you must edit a custom route table and security group rules to achieve connectivity between a resource behind the FortiGate to a resource on the AWS cloud.
- On AWS, there are two tunnels for each created VPN. This example only shows connecting to one tunnel, but you can create the second tunnel in FortiOS as well. The second tunnel is for redundancy. If one tunnel goes down, the FortiGate can reach AWS resources using the other tunnel.