Fortinet white logo
Fortinet white logo

AWS Administration Guide

Connecting a local FortiGate to an AWS VPC VPN

Connecting a local FortiGate to an AWS VPC VPN

This recipe provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AWS VPC VPN via IPsec with static routing.

Instances that you launch into an Amazon VPC can communicate with your own remote network via a site-to-site VPN between your on-premise FortiGate and AWS VPC VPN. You can enable access to your remote network from your VPC by configuring a virtual private gateway (VPG) and customer gateway to the VPC, then configuring the site-to-site VPC VPN.

The following prerequisites must be met for this configuration:

  • An AWS VPC with some configured subnets, routing tables, security group rules, and so on
  • An on-premise FortiGate with an external IP address

This recipe consists of the following steps:

  1. Create a VPG.
  2. Create a customer gateway.
  3. Create a site-to-site VPN connection on AWS.
  4. Configure the on-premise FortiGate.
To create a VPG:

A VPG is the VPN concentrator on the Amazon side of the site-to-site VPN connection. You can create a VPG and attach it to the VPC from which you want to create the site-to-site VPN connection.

  1. In the AWS management console, go to Virtual Private Gateways, then click Create Virtual Private Gateway.
  2. In the Name tag field, enter the desired gateway name.
  3. For static route configuration, the ASN is not important, as the ASN is for BGP routing. By default, the VPG is created with the default ASN, 64512. You cannot change the ASN once the VPG has been created.
  4. After creating the VPG, select it from the list of VPGs, and click Actions > Attach to VPC.
  5. On the Attach to VPC page, select the ID for the desired VPC from the VPC dropdown list.
To create a customer gateway:

In this example, the customer gateway refers to the on-premise FortiGate for the VPC VPN to connect to.

  1. Go to Customer Gateways, then click Create Customer Gateway.
  2. In the Name field, enter the desired gateway name.
  3. For Routing, select Static.
  4. In the IP Address field, enter the on-premise FortiGate's external address.
To create a site-to-site VPN connection on AWS:

AWS VPC VPN supports the following:

  • Internet Key Exchange version 2 (IKEv2)
  • NAT traversal
  • Four-byte ASN (in addition to two-byte ASN)
  • Reusable IP addresses for customer gateways
  • Additional encryption options including AES 256-bit encryption, SHA-2 hashing, and additional Diffie-Hellman groups
  • Configurable tunnel options
  • Custom private ASN for the Amazon side of a BGP session

This example describes creating an IPsec site-to-site VPN.

  1. Go to VPN Connections, then click Create VPN Connection.
  2. In the Name tag field, enter the desired VPN connection name.
  3. From the Virtual Private Gateway dropdown list, select the VPG ID for the VPG created earlier.
  4. For Routing Options, select Static.
  5. In the IP Prefixes field, enter the CIDR of the networks behind your on-premise FortiGate.
  6. Leave the tunnel options blank. You will obtain this information from a configuration file download.
To configure the on-premise FortiGate:
  1. After creating the VPN, select it in the VPN list, then click Download Configuration. This document contains information needed to configure the FortiGate correctly.
  2. You can configure the FortiGate using this downloaded configuration file. The example FortiGate has port1 with an external IP address of 35.188.119.246 and an internal IP address of 10.6.30.2/24. Port2 has an internal IP address of 10.1.100.3/24. The downloaded configuration file resembles the following. The most important information here is the remote-gw value, which in this case is 3.95.86.157, and the psksecret value.

    Run the following commands in the FortiOS CLI to configure the FortiGate, using the remote-gw and psksecret values from the downloaded configuration file as shown below. When setting the destination for the static route, use the VPC's IPv4 CIDR:

    config vpn ipsec phase1-interface

    edit "examplephase1"

    set interface "port1"

    set keylife 28800

    set peertype any

    set proposal aes128-sha1

    set dhgrp 2

    set remote-gw 3.95.86.157

    set psksecret NlITFTQJfiVuRWkQui_A5IjNT_41VTtP

    set dpd-retryinterval 10

    next

    end

    config vpn ipsec phase2-interface

    edit "examplephase2"

    set phase1name "examplephase1"

    set proposal aes128-sha1

    set dhgrp 2

    set keylifeseconds 3600

    next

    end

    config router static

    edit 1

    set dst 10.0.0.0 255.255.0.0

    set device "examplephase1"

    next

    end

    config firewall policy

    edit 1

    set srcintf "examplephase1"

    set dstintf "port2"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    next

    edit 2

    set srcintf "port2"

    set dstintf "examplephase1"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    next

    end

  3. Run the diagnose vpn tunnel up examplephase2 command if the tunnel is not up automatically already.
  4. Check in the FortiOS GUI in VPN > IPsec Tunnels that the tunnel is up.

  5. In the AWS management console, check that the tunnel is up:

  6. After the tunnel is up, you must edit a custom route table and security group rules to achieve connectivity between a resource behind the FortiGate to a resource on the AWS cloud.
  7. On AWS, there are two tunnels for each created VPN. This example only shows connecting to one tunnel, but you can create the second tunnel in FortiOS as well. The second tunnel is for redundancy. If one tunnel goes down, the FortiGate can reach AWS resources using the other tunnel.

Connecting a local FortiGate to an AWS VPC VPN

Connecting a local FortiGate to an AWS VPC VPN

This recipe provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AWS VPC VPN via IPsec with static routing.

Instances that you launch into an Amazon VPC can communicate with your own remote network via a site-to-site VPN between your on-premise FortiGate and AWS VPC VPN. You can enable access to your remote network from your VPC by configuring a virtual private gateway (VPG) and customer gateway to the VPC, then configuring the site-to-site VPC VPN.

The following prerequisites must be met for this configuration:

  • An AWS VPC with some configured subnets, routing tables, security group rules, and so on
  • An on-premise FortiGate with an external IP address

This recipe consists of the following steps:

  1. Create a VPG.
  2. Create a customer gateway.
  3. Create a site-to-site VPN connection on AWS.
  4. Configure the on-premise FortiGate.
To create a VPG:

A VPG is the VPN concentrator on the Amazon side of the site-to-site VPN connection. You can create a VPG and attach it to the VPC from which you want to create the site-to-site VPN connection.

  1. In the AWS management console, go to Virtual Private Gateways, then click Create Virtual Private Gateway.
  2. In the Name tag field, enter the desired gateway name.
  3. For static route configuration, the ASN is not important, as the ASN is for BGP routing. By default, the VPG is created with the default ASN, 64512. You cannot change the ASN once the VPG has been created.
  4. After creating the VPG, select it from the list of VPGs, and click Actions > Attach to VPC.
  5. On the Attach to VPC page, select the ID for the desired VPC from the VPC dropdown list.
To create a customer gateway:

In this example, the customer gateway refers to the on-premise FortiGate for the VPC VPN to connect to.

  1. Go to Customer Gateways, then click Create Customer Gateway.
  2. In the Name field, enter the desired gateway name.
  3. For Routing, select Static.
  4. In the IP Address field, enter the on-premise FortiGate's external address.
To create a site-to-site VPN connection on AWS:

AWS VPC VPN supports the following:

  • Internet Key Exchange version 2 (IKEv2)
  • NAT traversal
  • Four-byte ASN (in addition to two-byte ASN)
  • Reusable IP addresses for customer gateways
  • Additional encryption options including AES 256-bit encryption, SHA-2 hashing, and additional Diffie-Hellman groups
  • Configurable tunnel options
  • Custom private ASN for the Amazon side of a BGP session

This example describes creating an IPsec site-to-site VPN.

  1. Go to VPN Connections, then click Create VPN Connection.
  2. In the Name tag field, enter the desired VPN connection name.
  3. From the Virtual Private Gateway dropdown list, select the VPG ID for the VPG created earlier.
  4. For Routing Options, select Static.
  5. In the IP Prefixes field, enter the CIDR of the networks behind your on-premise FortiGate.
  6. Leave the tunnel options blank. You will obtain this information from a configuration file download.
To configure the on-premise FortiGate:
  1. After creating the VPN, select it in the VPN list, then click Download Configuration. This document contains information needed to configure the FortiGate correctly.
  2. You can configure the FortiGate using this downloaded configuration file. The example FortiGate has port1 with an external IP address of 35.188.119.246 and an internal IP address of 10.6.30.2/24. Port2 has an internal IP address of 10.1.100.3/24. The downloaded configuration file resembles the following. The most important information here is the remote-gw value, which in this case is 3.95.86.157, and the psksecret value.

    Run the following commands in the FortiOS CLI to configure the FortiGate, using the remote-gw and psksecret values from the downloaded configuration file as shown below. When setting the destination for the static route, use the VPC's IPv4 CIDR:

    config vpn ipsec phase1-interface

    edit "examplephase1"

    set interface "port1"

    set keylife 28800

    set peertype any

    set proposal aes128-sha1

    set dhgrp 2

    set remote-gw 3.95.86.157

    set psksecret NlITFTQJfiVuRWkQui_A5IjNT_41VTtP

    set dpd-retryinterval 10

    next

    end

    config vpn ipsec phase2-interface

    edit "examplephase2"

    set phase1name "examplephase1"

    set proposal aes128-sha1

    set dhgrp 2

    set keylifeseconds 3600

    next

    end

    config router static

    edit 1

    set dst 10.0.0.0 255.255.0.0

    set device "examplephase1"

    next

    end

    config firewall policy

    edit 1

    set srcintf "examplephase1"

    set dstintf "port2"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    next

    edit 2

    set srcintf "port2"

    set dstintf "examplephase1"

    set srcaddr "all"

    set dstaddr "all"

    set action accept

    set schedule "always"

    set service "ALL"

    next

    end

  3. Run the diagnose vpn tunnel up examplephase2 command if the tunnel is not up automatically already.
  4. Check in the FortiOS GUI in VPN > IPsec Tunnels that the tunnel is up.

  5. In the AWS management console, check that the tunnel is up:

  6. After the tunnel is up, you must edit a custom route table and security group rules to achieve connectivity between a resource behind the FortiGate to a resource on the AWS cloud.
  7. On AWS, there are two tunnels for each created VPN. This example only shows connecting to one tunnel, but you can create the second tunnel in FortiOS as well. The second tunnel is for redundancy. If one tunnel goes down, the FortiGate can reach AWS resources using the other tunnel.