Connecting a local FortiGate to an AliCloud FortiGate via site-to-site VPN
This guide provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AliCloud FortiGate via site-to-site IPsec VPN with static routing. The following depicts the network topology for this sample deployment:
The following prerequisites must be met for this configuration:
- A FortiGate located on AliCloud with port1 connected to local LAN and a public IP address mapped to port1.
- A local FortiGate in a local environment. Determine if your FortiGate has a publicly accessible IP address or if it is behind NAT. In this example, the on-premise FortiGate is behind NAT.
This guide consists of the following steps:
- Configure the local FortiGate.
- Configure the AliCloud FortiGate.
- Establish a VPN connection between the local and AliCloud FortiGates.
- Run diagnose commands.
Configuring the local FortiGate
To configure the local FortiGate using the GUI:
- Configure the interfaces:
- In FortiOS, go to Network > Interfaces.
- Edit port1. From the Role dropdown list, select WAN. In the IP/Network Mask field, enter 10.6.30.194/255.255.255.0 for the interface that is connected to the Internet.
- Edit port4. From the Role dropdown list, select LAN. In the IP/Network Mask field, enter 192.168.4.194/255.255.255.0 for the interface that is connected to the local subnet.
- Configure a static route to connect to the Internet:
- Go to Network > Static Routes.
- Click Create New.
- In the Destination field, enter 0.0.0.0/0.0.0.0.
- From the Interface dropdown list, select port1.
- In the Gateway Address field, enter 10.6.30.254.
- Configure IPsec VPN:
- Go to VPN > IPsec Wizard.
- Configure VPN Setup:
- In the Name field, enter the desired name.
- For Template Type, select Site to Site.
- For Remote Device Type, select FortiGate.
- For NAT Configuration, select This site is behind NAT. Click Next. For non-dialup situations where the local FortiGate has an external IP address, select No NAT between sites.
- Configure Authentication:
- For Remote Device, select IP Address.
- In the IP Address field, enter 47.254.43.106. This is the AliCloud FortiGate port1 public IP address.
- From the Outgoing Interface dropdown list, select port1.
- For Authentication Method, select Pre-shared Key.
- In the Pre-shared Key field, enter 123456. Click Next.
- Configure Policy & Routing:
- From the Local Interface dropdown list, select port4. This autofills the Local Subnets field with 192.168.4.0/24.
- In the Remote Subnets field, enter 192.168.4.0/24. This is the AliCloud FortiGate port1 subnet.
- For Internet Access, select None. Click Create.
To configure the local FortiGate using the CLI:
- Configure the interfaces:
config system interface edit "port1" set vdom "root" set ip 10.6.30.194 255.255.255.0 set allowaccess ping https ssh http fgfm set type physical set role wan set snmp-index 1 next edit "port4 set vdom "root" set ip 192.168.4.194 255.255.255.0 set allowaccess ping https ssh snmp fgfm ftm set type physical set device-identification enable set lldp-transmission enable set role lan set snmp-index 4 next end
- Configure a static route to connect to the Internet:
config router static edit 1 set gateway 10.6.30.254 set device "port1" next end
- Configure IPsec VPN:
config vpn ipsec phase1-interface edit "to_ali" set interface "port1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: to_ali (Created by VPN wizard)" set wizard-type static-fortigate set remote-gw 47.254.43.106 set psksecret xxxxxx next end config vpn ipsec phase2-interface edit "to_ali" set phase1name "to_ali" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: to_ali (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "to_ali_local" set dst-name "to_ali_remote" next end config router static edit 2 set device "to_ali" set comment "VPN: to_ali (Created by VPN wizard)" set dstaddr "to_ali_remote" next edit 3 set distance 254 set comment "VPN: to_ali (Created by VPN wizard)" set blackhole enable set dstaddr "to_ali_remote" next end config firewall policy edit 1 set name "vpn_to_ali_local" set uuid c6b2d36e-6c65-51e9-5a78-9a0881a0b07c set srcintf "port4" set dstintf "to_ali" set srcaddr "to_ali_local" set dstaddr "to_ali_remote" set action accept set schedule "always" set service "ALL" set comments "VPN: to_ali (Created by VPN wizard)" next edit 2 set name "vpn_to_ali_remote" set uuid c6bf126e-6c65-51e9-8652-cb88546929b4 set srcintf "to_ali" set dstintf "port4" set srcaddr "to_ali_remote" set dstaddr "to_ali_local" set action accept set schedule "always" set service "ALL" set comments "VPN: to_ali (Created by VPN wizard)" next end
Configuring the AliCloud FortiGate
To configure the AliCloud FortiGate using the GUI:
- Configure the interface:
- In FortiOS, go to Network > Interfaces.
- Edit port1.
- From the Role dropdown list, select LAN.
- Ensure that Addressing mode is set to DHCP and that the FortiGate can list the assigned IP address.
- Configure IPsec VPN:
- Go to VPN > IPsec Wizard.
- Configure VPN Setup:
- In the Name field, enter the desired name.
- For Template Type, select Site to Site.
- For Remote Device Type, select FortiGate.
- For NAT Configuration, select The remote site is behind NAT. Click Next.
- Configure Authentication:
- From the Incoming Interface dropdown list, select port1.
- For Authentication Method, select Pre-shared Key.
- In the Pre-shared Key field, enter 123456. Click Next.
- Configure Policy & Routing:
- From the Local Interface dropdown list, select port1. This autofills the Local Subnets field with 192.168.4.0/24.
- In the Remote Subnets field, enter 192.168.4.0/24. This is the local FortiGate port4 subnet.
- For Internet Access, select None. Click Create.
To configure the AliCloud FortiGate using the CLI:
- Configure the interface and ensure that the FortiGate can list the assigned IP address:
config system interface edit "port1" set vdom "root" set mode dhcp set allowaccess ping https ssh fgfm set type physical set device-identification enable set lldp-transmission enable set role lan set snmp-index 1 next end
diagnose ip address list IP=192.168.0.177->192.168.0.177/255.255.255.0 index=3 devname=port1
- Configure IPsec VPN:
config vpn ipsec phase1-interface edit "to_local" set type dynamic set interface "port1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set comments "VPN: to_local (Created by VPN wizard)" set wizard-type dialup-fortigate set psksecret xxxxxx set dpd-retryinterval 60 next end config vpn ipsec phase2-interface edit "to_local" set phase1name "to_local" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: to_local (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "to_local_local" set dst-name "to_local_remote" next end config firewall policy edit 1 set name "vpn_to_local_local" set uuid e07aaa72-833c-51e9-ad33-4c1e96b656da set srcintf "port1" set dstintf "to_local" set srcaddr "to_local_local" set dstaddr "to_local_remote" set action accept set schedule "always" set service "ALL" set comments "VPN: to_local (Created by VPN wizard)" next edit 2 set name "vpn_to_local_remote" set uuid e086b2b8-833c-51e9-3aaf-49e3cd4c5c70 set srcintf "to_local" set dstintf "port1" set srcaddr "to_local_remote" set dstaddr "to_local_local" set action accept set schedule "always" set service "ALL" set comments "VPN: to_local (Created by VPN wizard)" next end
To establish the VPN connection between the FortiGates:
The tunnel is down until you initiate connection from the local FortiGate.
- In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor.
- Click the created tunnel.
- Click Bring Up. The tunnel is up.
- In FortiOS on the AliCloud FortiGate, go to Monitor > IPsec Monitor to verify that the tunnel is up.
To run diagnose commands:
- Show the local FortiGate VPN status:
FGT-194-Level1 # diagnose vpn ike gateway list vd: root/0 name: to_ali version: 1 interface: port1 3 addr: 10.6.30.194:4500 -> 47.254.43.106:4500 created: 4057s ago nat: me peer IKE SA: created 1/1 established 1/1 time 21180/21180/21180 ms IPsec SA: created 1/3 established 1/3 time 20/26/30 ms id/spi: 2 fd018d163ea303aa/9d7a245f889ee6c4 direction: initiator status: established 4057-4036s ago = 21180ms proposal: aes128-sha256 key: c7bab4dd8883b727-3b249220088216f8 lifetime/rekey: 86400/82063 DPD sent/recv: 00000000/00000009 FGT-194-Level1 # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=to_ali ver=1 serial=1 10.6.30.194:4500->47.254.43.106:4500 dst_mtu=1500 bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1 proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0 stat: rxp=3382 txp=3404 rxb=432896 txb=204240 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=4500 proxyid=to_ali proto=0 sa=1 ref=2 serial=3 src: 0:192.168.4.0/255.255.255.0:0 dst: 0:192.168.0.0/255.255.255.0:0 SA: ref=3 options=10226 type=00 soft=0 mtu=1422 expire=39471/0B replaywin=2048 seqno=d14 esn=0 replaywin_lastseq=00000d0d itn=0 qat=0 life: type=01 bytes=0/0 timeout=42903/43200 dec: spi=8427ce41 esp=aes key=16 961323608ef02c111ce4cc393cd79293 ah=sha1 key=20 9cffabaa0163df6a92e1917efa333148b58ff9da enc: spi=e2723047 esp=aes key=16 f93b233906039c179924923a4f09ebae ah=sha1 key=20 c2c6225e26927de6381bf44c6ccd6d0a325e2e27 dec:pkts/bytes=3325/199500, enc:pkts/bytes=3347/428416
- Show the AliCloud FortiGate VPN status:
FGT-ALIONDEMAND # diagnose vpn ike gateway list vd: root/0 name: to_local_0 version: 1 interface: port1 3 addr: 192.168.0.177:4500 -> 208.91.114.1:64916 created: 4103s ago nat: me peer IKE SA: created 1/1 established 1/1 time 120/120/120 ms IPsec SA: created 1/3 established 1/3 time 20/26/30 ms id/spi: 0 fd018d163ea303aa/9d7a245f889ee6c4 direction: responder status: established 4103-4103s ago = 120ms proposal: aes128-sha256 key: c7bab4dd8883b727-3b249220088216f8 lifetime/rekey: 86400/82026 DPD sent/recv: 00000009/00000000 FGT-ALIONDEMAND # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=to_local ver=1 serial=1 192.168.0.177:0->0.0.0.0:0 dst_mtu=0 bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1 proxyid_num=0 child_num=1 refcnt=11 ilast=4118 olast=4118 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 ------------------------------------------------------ name=to_local_0 ver=1 serial=2 192.168.0.177:4500->208.91.114.1:64916 dst_mtu=1500 bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/976 options[03d0]=create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1 parent=to_local index=0 proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0 stat: rxp=3459 txp=3459 rxb=442752 txb=207540 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=9 natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=to_local proto=0 sa=1 ref=2 serial=3 add-route src: 0:192.168.0.0/255.255.255.0:0 dst: 0:192.168.4.0/255.255.255.0:0 SA: ref=3 options=282 type=00 soft=0 mtu=1422 expire=39694/0B replaywin=2048 seqno=d4b esn=0 replaywin_lastseq=00000d52 itn=0 qat=0 life: type=01 bytes=0/0 timeout=43187/43200 dec: spi=e2723047 esp=aes key=16 f93b233906039c179924923a4f09ebae ah=sha1 key=20 c2c6225e26927de6381bf44c6ccd6d0a325e2e27 enc: spi=8427ce41 esp=aes key=16 961323608ef02c111ce4cc393cd79293 ah=sha1 key=20 9cffabaa0163df6a92e1917efa333148b58ff9da dec:pkts/bytes=3402/204120, enc:pkts/bytes=3402/435456