Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • AliCloud Administration Guide

    Home FortiGate Public Cloud 7.4.0 AliCloud Administration Guide
    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Connecting a local FortiGate to an AliCloud VPC VPN

    Connecting a local FortiGate to an AliCloud VPC VPN

    This guide provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AliCloud VPC VPN via IPsec VPN with static routing.

    Instances that you launch into an AliCloud VPC can communicate with your own remote network via a site-to-site VPN between your on-premise FortiGate and AliCloud VPC VPN. You can enable access to your remote network from your VPC by configuring a VPN gateway and customer gateway to the VPC, then configuring the site-to-site VPC VPN.

    This configuration requires the following prerequisites be met:

    • AliCloud VPC with some configured subnets, routing tables, security group rules, and so on
    • On-premise FortiGate with an external IP address

    This guide consists of the following steps:

    1. Create a VPN gateway.
    2. Create a customer gateway.
    3. Create a site-to-site VPN connection on AliCloud.
    4. Configure the on-premise FortiGate.
    5. Run diagnose commands.
    To create a VPN gateway:
    1. In the AliCloud management console, go to VPN > VPN Gateways.
    2. Click Create VPN Gateway.
    3. Create a virtual private gateway and attach it to the VPC from which you want to create the site-to-site VPN connection.

    To create a customer gateway:

    This example refers to the on-premise FortiGate for the VPC VPN to connect to as the customer gateway.

    1. Go to VPN > Customer Gateways.
    2. Click Create Customer Gateway.
    3. Configure the customer gateway as shown:

    To create a site-to-site VPN connection on AliCloud:
    1. Go to VPN > IPsec Connections.
    2. Click Create IPsec Connection.
    3. Create an IPsec connection between the VPN and customer gateways.
    4. Under Actions, click Download Configuration.

    5. Note the IPsec-related parameters. You use these parameters to configure the on-premise FortiGate in the next step:
      {
  "LocalSubnet": "0.0.0.0/0",
  "RemoteSubnet": "0.0.0.0/0",
  "IpsecConfig": {
    "IpsecPfs": "group2",
    "IpsecEncAlg": "aes",
    "IpsecAuthAlg": "sha1",
    "IpsecLifetime": 86400
  },
  "Local": "x.x.x.x",
  "Remote": "47.88.4.89",
  "IkeConfig": {
    "IkeAuthAlg": "sha1",
    "LocalId": "x.x.x.x",
    "IkeEncAlg": "aes",
    "IkeVersion": "ikev1",
    "IkeMode": "main",
    "IkeLifetime": 86400,
    "RemoteId": "47.88.4.89",
    "Psk": "xxxxxxxxxxxxxxxx",
    "IkePfs": "group2"
  }
}
    To configure the on-premise FortiGate:
    1. In the FortiOS CLI, configure the on-premise FortiGate with the above IPsec-related parameters. When setting remote-gw and psksecret, use the values found for RemoteId and Psk above, respectively. The example on-premise FortiGate uses port9 as its external interface: 
      config vpn ipsec phase1-interface 
    edit "AliCloudVPN" 
        set interface "port9"
        set keylife 86400 
        set peertype any 
        set net-device enable 
        set proposal aes128-sha1 
        set dhgrp 14 2 
        set remote-gw 47.88.4.89
        set psksecret xxxxxxxxxxxxxxxx
    next 
end 
config vpn ipsec phase2-interface 
    edit "AliCloudVPN" 
        set phase1name "AliCloudVPN" 
        set proposal aes128-sha1 
        set dhgrp 14 2 
        set keepalive enable 
        set keylifeseconds 3600 
    next 
end 
config firewall address 
    edit "AliCloudVPN-local-subnet-1" 
        set allow-routing enable 
        set subnet 10.6.30.0 255.255.255.0 
    next 
end 
config firewall address 
    edit "AliCloudVPN-remote-subnet-1" 
        set allow-routing enable 
        set subnet 10.0.1.0 255.255.255.0 
    next 
end
config router static 
    edit 2 
        set device "AliCloudVPN" 
        set dstaddr "AliCloudVPN-remote-subnet-1" 
    next 
end 
config firewall policy 
    edit 10 
        set name "AliCloudVPN-local-ali" 
        set srcintf "mgmt1" 
        set dstintf "AliCloudVPN" 
        set srcaddr "AliCloudVPN-local-subnet-1" 
        set dstaddr "AliCloudVPN-remote-subnet-1" 
        set action accept 
        set schedule "always" 
        set service "ALL" 
    next
    edit 20 
        set name "AliCloudVPN-ali-local" 
        set srcintf "AliCloudVPN" 
        set dstintf "mgmt1" 
        set srcaddr "AliCloudVPN-remote-subnet-1" 
        set dstaddr "AliCloudVPN-local-subnet-1" 
        set action accept 
        set schedule "always" 
        set service "ALL" 
    next 
end
    2. If the IPsec tunnel does not appear automatically, run the diagnose vpn tunnel up AliCloudVPN command.
    3. In the FortiOS GUI, go to VPN > IPsec Tunnels. Verify that the tunnel is up. The on-premise FortiGate can now access the AliCloud VM with its private IP address. The AliCloud VM can also access the on-premise FortiGate with its private IP address.
    To run diagnose commands:
    FGT600D_B # diagnose vpn ike gateway list
    vd: root/0
name: AliCloudVPN
version: 1
interface: port9 10
addr: 172.16.200.212:4500 -> 47.88.4.89:4500
created: 1087s ago
nat: me peer
IKE SA: created 1/1  established 1/1  time 9110/9110/9110 ms
IPsec SA: created 1/2  established 1/1  time 30/30/30 ms

  id/spi: 0 d9d4ae9111a51b0b/de39f4ac9deffc18
  direction: initiator
  status: established 1087-1078s ago = 9110ms
  proposal: aes128-sha1
  key: 9bf9b58431949e77-a0c21ded48368db1
  lifetime/rekey: 28800/27421
  DPD sent/recv: 00000000/00000000

FGT600D_B # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=AliCloudVPN ver=1 serial=1 172.16.200.212:4500->47.88.4.89:4500 dst_mtu=1500
bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1

proxyid_num=1 child_num=0 refcnt=14 ilast=1084 olast=270 ad=/0
stat: rxp=1 txp=43 rxb=16452 txb=4389
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=AliCloudVPN proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=6 options=10227 type=00 soft=0 mtu=1422 expire=2399/0B replaywin=2048
       seqno=2c esn=0 replaywin_lastseq=00000001 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=3298/3600
  dec: spi=ac5426a9 esp=aes key=16 417b83810bf1f17b30e8b0974716d37d
       ah=sha1 key=20 a3e1d5ca5d85907a35c7720e9c640d0fafbb0ee3
  enc: spi=c999e156 esp=aes key=16 837b20f727c957f700f6c89acbb9e9a9
       ah=sha1 key=20 7f4634601d6962575c00761f7270d36a683c3d65
  dec:pkts/bytes=1/16376, enc:pkts/bytes=43/7648
  npu_flag=03 npu_rgwy=47.88.4.89 npu_lgwy=172.16.200.212 npu_selid=0 dec_npuid=1 enc_npuid=1
    Previous
    Next

    Connecting a local FortiGate to an AliCloud VPC VPN

    Connecting a local FortiGate to an AliCloud VPC VPN

    This guide provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AliCloud VPC VPN via IPsec VPN with static routing.

    Instances that you launch into an AliCloud VPC can communicate with your own remote network via a site-to-site VPN between your on-premise FortiGate and AliCloud VPC VPN. You can enable access to your remote network from your VPC by configuring a VPN gateway and customer gateway to the VPC, then configuring the site-to-site VPC VPN.

    This configuration requires the following prerequisites be met:

    • AliCloud VPC with some configured subnets, routing tables, security group rules, and so on
    • On-premise FortiGate with an external IP address

    This guide consists of the following steps:

    1. Create a VPN gateway.
    2. Create a customer gateway.
    3. Create a site-to-site VPN connection on AliCloud.
    4. Configure the on-premise FortiGate.
    5. Run diagnose commands.
    To create a VPN gateway:
    1. In the AliCloud management console, go to VPN > VPN Gateways.
    2. Click Create VPN Gateway.
    3. Create a virtual private gateway and attach it to the VPC from which you want to create the site-to-site VPN connection.

    To create a customer gateway:

    This example refers to the on-premise FortiGate for the VPC VPN to connect to as the customer gateway.

    1. Go to VPN > Customer Gateways.
    2. Click Create Customer Gateway.
    3. Configure the customer gateway as shown:

    To create a site-to-site VPN connection on AliCloud:
    1. Go to VPN > IPsec Connections.
    2. Click Create IPsec Connection.
    3. Create an IPsec connection between the VPN and customer gateways.
    4. Under Actions, click Download Configuration.

    5. Note the IPsec-related parameters. You use these parameters to configure the on-premise FortiGate in the next step:
      {
  "LocalSubnet": "0.0.0.0/0",
  "RemoteSubnet": "0.0.0.0/0",
  "IpsecConfig": {
    "IpsecPfs": "group2",
    "IpsecEncAlg": "aes",
    "IpsecAuthAlg": "sha1",
    "IpsecLifetime": 86400
  },
  "Local": "x.x.x.x",
  "Remote": "47.88.4.89",
  "IkeConfig": {
    "IkeAuthAlg": "sha1",
    "LocalId": "x.x.x.x",
    "IkeEncAlg": "aes",
    "IkeVersion": "ikev1",
    "IkeMode": "main",
    "IkeLifetime": 86400,
    "RemoteId": "47.88.4.89",
    "Psk": "xxxxxxxxxxxxxxxx",
    "IkePfs": "group2"
  }
}
    To configure the on-premise FortiGate:
    1. In the FortiOS CLI, configure the on-premise FortiGate with the above IPsec-related parameters. When setting remote-gw and psksecret, use the values found for RemoteId and Psk above, respectively. The example on-premise FortiGate uses port9 as its external interface: 
      config vpn ipsec phase1-interface 
    edit "AliCloudVPN" 
        set interface "port9"
        set keylife 86400 
        set peertype any 
        set net-device enable 
        set proposal aes128-sha1 
        set dhgrp 14 2 
        set remote-gw 47.88.4.89
        set psksecret xxxxxxxxxxxxxxxx
    next 
end 
config vpn ipsec phase2-interface 
    edit "AliCloudVPN" 
        set phase1name "AliCloudVPN" 
        set proposal aes128-sha1 
        set dhgrp 14 2 
        set keepalive enable 
        set keylifeseconds 3600 
    next 
end 
config firewall address 
    edit "AliCloudVPN-local-subnet-1" 
        set allow-routing enable 
        set subnet 10.6.30.0 255.255.255.0 
    next 
end 
config firewall address 
    edit "AliCloudVPN-remote-subnet-1" 
        set allow-routing enable 
        set subnet 10.0.1.0 255.255.255.0 
    next 
end
config router static 
    edit 2 
        set device "AliCloudVPN" 
        set dstaddr "AliCloudVPN-remote-subnet-1" 
    next 
end 
config firewall policy 
    edit 10 
        set name "AliCloudVPN-local-ali" 
        set srcintf "mgmt1" 
        set dstintf "AliCloudVPN" 
        set srcaddr "AliCloudVPN-local-subnet-1" 
        set dstaddr "AliCloudVPN-remote-subnet-1" 
        set action accept 
        set schedule "always" 
        set service "ALL" 
    next
    edit 20 
        set name "AliCloudVPN-ali-local" 
        set srcintf "AliCloudVPN" 
        set dstintf "mgmt1" 
        set srcaddr "AliCloudVPN-remote-subnet-1" 
        set dstaddr "AliCloudVPN-local-subnet-1" 
        set action accept 
        set schedule "always" 
        set service "ALL" 
    next 
end
    2. If the IPsec tunnel does not appear automatically, run the diagnose vpn tunnel up AliCloudVPN command.
    3. In the FortiOS GUI, go to VPN > IPsec Tunnels. Verify that the tunnel is up. The on-premise FortiGate can now access the AliCloud VM with its private IP address. The AliCloud VM can also access the on-premise FortiGate with its private IP address.
    To run diagnose commands:
    FGT600D_B # diagnose vpn ike gateway list
    vd: root/0
name: AliCloudVPN
version: 1
interface: port9 10
addr: 172.16.200.212:4500 -> 47.88.4.89:4500
created: 1087s ago
nat: me peer
IKE SA: created 1/1  established 1/1  time 9110/9110/9110 ms
IPsec SA: created 1/2  established 1/1  time 30/30/30 ms

  id/spi: 0 d9d4ae9111a51b0b/de39f4ac9deffc18
  direction: initiator
  status: established 1087-1078s ago = 9110ms
  proposal: aes128-sha1
  key: 9bf9b58431949e77-a0c21ded48368db1
  lifetime/rekey: 28800/27421
  DPD sent/recv: 00000000/00000000

FGT600D_B # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=AliCloudVPN ver=1 serial=1 172.16.200.212:4500->47.88.4.89:4500 dst_mtu=1500
bound_if=10 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc  accept_traffic=1

proxyid_num=1 child_num=0 refcnt=14 ilast=1084 olast=270 ad=/0
stat: rxp=1 txp=43 rxb=16452 txb=4389
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=32 interval=10 remote_port=4500
proxyid=AliCloudVPN proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=6 options=10227 type=00 soft=0 mtu=1422 expire=2399/0B replaywin=2048
       seqno=2c esn=0 replaywin_lastseq=00000001 itn=0 qat=0
  life: type=01 bytes=0/0 timeout=3298/3600
  dec: spi=ac5426a9 esp=aes key=16 417b83810bf1f17b30e8b0974716d37d
       ah=sha1 key=20 a3e1d5ca5d85907a35c7720e9c640d0fafbb0ee3
  enc: spi=c999e156 esp=aes key=16 837b20f727c957f700f6c89acbb9e9a9
       ah=sha1 key=20 7f4634601d6962575c00761f7270d36a683c3d65
  dec:pkts/bytes=1/16376, enc:pkts/bytes=43/7648
  npu_flag=03 npu_rgwy=47.88.4.89 npu_lgwy=172.16.200.212 npu_selid=0 dec_npuid=1 enc_npuid=1
    Previous
    Next