Connecting a FortiGate to an IBM Cloud VPC VPN
This example provides sample configuration of a site-to-site VPN connection from a FortiGate-VM deployed on Google Cloud Platform (GCP) to an IBM Cloud VPC VPN. Since IBM Cloud VPN requires a peer gateway IP address, it cannot be dialed up to and requires a public IP address from the FortiGate. Therefore, this example uses GCP as the secondary site. The secondary site can be at other locations, such as AWS, Azure, or your corporate network. Replace with your desired environment. The following shows the topology for this example:
To create the VPN gateway on IBM Cloud:
- In the IBM Cloud management console, create a gateway. In the VPN gateway name field, enter the desired name.
- From the Virtual private cloud dropdown list, select the desired VPC.
- (Optional) From the Resource group dropdown list, select the desired group.
- Under Region, select the desired region.
- Under Subnet, select the public subnet.
- Enable New VPN connection for VPC, then configure the VPN connection:
- In the VPN connection name field, enter the desired name.
- In the Peer gateway address field, enter the FortiGate public gateway IP address. In this example, the FortiGate is deployed on GCP, and its public gateway IP address is 34.68.1.135.
- In the Preshared key field, enter the desired key.
- Under Local subnets, enter the IBM Cloud internal subnet. In this example, it is 10.241.0.0/24.
- Under Peer subnets, enter the secondary site internal subnet. In this example, the GCP internal subnet is 10.0.1.0/24.
- Keep the Dead peer detection fields at their default values: Action: Restart, Interval (sec): 2, and Timeout (sec): 10.
- Select New IKE policy:
- In the Name field, enter the desired name.
- (Optional) From the Resource group dropdown list, select the desired group.
- Under Region, select the desired region.
- From the IKE Version dropdown list, select 1.
- From the Authentication dropdown list, select sha1.
- From the Encryption dropdown list, select aes128.
- From the DH Group dropdown list, select 5.
- In the Key Lifetime field, enter 86400.
- Click Create IKE policy.
- Select New IPsec policy:
- In the Name field, enter the desired name.
- (Optional) From the Resource group dropdown list, select the desired group.
- Under Region, select the desired region.
- From the Authentication dropdown list, select sha1.
- From the Encryption dropdown list, select aes128.
- From the DH Group dropdown list, select 5.
- In the Key Lifetime field, enter 43200.
- Click Create IPsec policy.
To create the VPN connection in FortiOS:
- In FortiOS on the local FortiGate, go to VPN > IPsec Wizard.
- On the VPN Setup tab, configure the following:
- In the Name field, enter the desired name.
- For Template type, select Site to Site.
- For NAT Configuration, select No NAT between sites.
- For Remote device type, select FortiGate.
- On the Authentication tab, configure the following:
- For Remote device, select IP Address.
- In the Remote IP address field, enter the IBM Cloud VPN gateway IP address. In this example, it is 52.116.127.153.
- For Outgoing Interface, allow FortiOS to automatically configure as port1.
- For Authentication Method, select Pre-shared Key.
- In the Pre-shared Key field, enter the desired key. Click Next.
- On the Policy & Routing tab, configure the following:
- For Local interface, select port2, the GCP internal network port.
- In the Local subnets field, enter the GCP internal subnet, 10.0.1.0/24.
- In the Remote Subnets field, enter the IBM Cloud remote subnet. In this example, it is 10.241.0.0/24.
- For Internet Access, select None.
- Proceed to create the VPN connection. After configuration, the VPN should automatically come up, and traffic can transverse. In the IBM Cloud console, you should see that the VPN gateway status is active and up.
FortiOS also shows that the VPN connection is up.
A GCP Linux client can ping a machine on the IBM Cloud VPC subnet.
The following shows sniffer traffic.