Connecting a local FortiGate to an IBM Cloud FortiGate via site-to-site VPN
This guide provides sample configuration of a site-to-site VPN connection from a local FortiGate to an IBM FortiGate via site-to-site IPsec VPN with static routing. You can access resources that are protected behind a FortiGate on IBM from your local environment by using a site-to-site VPN.
The following depicts the network topology for this sample deployment:
The following prerequisites must be met for this configuration:
- A FortiGate located on (Gen 2) IBM Cloud Virtual Servers for VPC with some resources behind it. In this example, the IBM FortiGate has port1 connected to WAN and port2 connected to local LAN.
- An on-premise FortiGate. For your local environment, determine if your FortiGate has a publicly accessible IP address or if it is behind NAT. In this example, the on-premise FortiGate is behind NAT.
This configuration consists of the following steps:
- Create a VPN on the local FortiGate to the IBM FortiGate.
- Create a VPN on the IBM FortiGate to the local FortiGate.
- Establish a connection between the FortiGates.
To create a VPN on the local FortiGate to the IBM FortiGate:
- In FortiOS on the local FortiGate, go to VPN > IPsec Wizard.
- On the VPN Setup tab, configure the following:
- In the Name field, enter the desired name.
- For Template Type, select Site to Site.
- For Remote Device Type, select FortiGate.
- For NAT Configuration, select the appropriate option. In this example, since the local FortiGate is behind NAT, This site is behind NAT is selected. Click Next. For non-dialup situations where the local FortiGate has an external IP address, select No NAT between sites.
- On the Authentication tab, configure the following:
- For Remote Device, select IP Address.
- In the IP Address field, enter the IBM FortiGate's floating IP address. In this example, it is 52.116.124.148.
- For Outgoing Interface, allow FortiOS to detect the interface via routing lookup.
- For Authentication Method, select Pre-shared Key.
- In the Pre-shared Key field, enter the desired key. Click Next.
- On the Policy & Routing tab, configure the following:
- For Local Interface, select the desired local interface. In this example, port2 is selected. The Local Subnets field should autopopulate.
- In the Remote Subnets field, enter the remote subnet on the other side of the IBM FortiGate. In this example, it is 10.241.1.0/24.
- For Internet Access, select None.
- Click Create. The IPsec Wizard creates the following:
- Firewall addresses for local and remote subnets
- Firewall address groups containing the above firewall addresses
- phase-1 and phase-2 interfaces
- Static route and blackhole route
- Two firewall policies: one for traffic to the tunnel interface and one for traffic from the tunnel interface
To create a VPN on the IBM FortiGate to the local FortiGate:
- In FortiOS on the IBM FortiGate, go to VPN > IPsec Wizard.
- On the VPN Setup tab, configure the following:
- In the Name field, enter the desired name.
- For Template Type, select Site to Site.
- For Remote Device Type, select FortiGate.
- For NAT Configuration, select This site is behind NAT. This is the correct configuration since the IBM FortiGate has an floating IP address. Click Next.
- On the Authentication tab, configure the following:
- For Incoming Interface, select the WAN-facing incoming interface. In this example, it is port1.
- For Authentication Method, select Pre-shared Key.
- In the Pre-shared Key field, enter the same key configured on the local FortiGate. Click Next.
- On the Policy & Routing tab, configure the following:
- For Local Interface, select the desired local interface. In this example, port2 is selected. The Local Subnets field should then autopopulate.
- In the Remote Subnets field, enter the remote subnet on the other side of the local FortiGate. In this example, it is 10.1.100.0/24.
- For Internet Access, select None.
- Click Create. The IPsec Wizard creates the following:
- Firewall addresses for local and remote subnets
- Firewall address groups containing the above firewall addresses
- phase-1 and phase-2 interfaces
- Static route and blackhole route
- Two firewall policies: one for traffic to the tunnel interface and one for traffic from the tunnel interface
To establish a connection between the FortiGates:
- The tunnels are down until you initiate a connection from the local FortiGate to the IBM FortiGate. In FortiOS on the local FortiGate, go to Dashboard > Network and click IPsec to expand the widget.
- Right-click the phase-2 interface, and select Bring Up > All Phase 2 Selectors.
- In FortiOS on the IBM FortiGate, go to VPN > IPsec Tunnels and verify that the connection is up.
The floating IP address can be considered as one to one to the FortiGate's IP address, even though the port IP address may be an internal IP address. |