Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • AWS Administration Guide

    Home FortiGate Public Cloud 7.6.0 AWS Administration Guide
    7.6.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Connecting a local FortiGate to an AWS VPC VPN

    Connecting a local FortiGate to an AWS VPC VPN

    This recipe provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AWS VPC VPN via IPsec with static routing.

    Instances that you launch into an Amazon VPC can communicate with your own remote network via a site-to-site VPN between your on-premise FortiGate and AWS VPC VPN. You can enable access to your remote network from your VPC by configuring a virtual private gateway (VPG) and customer gateway to the VPC, then configuring the site-to-site VPC VPN.

    The following prerequisites must be met for this configuration:

    • An AWS VPC with some configured subnets, routing tables, security group rules, and so on
    • An on-premise FortiGate with an external IP address

    This recipe consists of the following steps:

    1. Create a VPG.
    2. Create a customer gateway.
    3. Create a site-to-site VPN connection on AWS.
    4. Configure the on-premise FortiGate.
    To create a VPG:

    A VPG is the VPN concentrator on the Amazon side of the site-to-site VPN connection. You can create a VPG and attach it to the VPC from which you want to create the site-to-site VPN connection.

    1. In the AWS management console, go to Virtual Private Gateways, then click Create Virtual Private Gateway.
    2. In the Name tag field, enter the desired gateway name.
    3. For static route configuration, the ASN is not important, as the ASN is for BGP routing. By default, the VPG is created with the default ASN, 64512. You cannot change the ASN once the VPG has been created.
    4. After creating the VPG, select it from the list of VPGs, and click Actions > Attach to VPC.
    5. On the Attach to VPC page, select the ID for the desired VPC from the VPC dropdown list.
    To create a customer gateway:

    In this example, the customer gateway refers to the on-premise FortiGate for the VPC VPN to connect to.

    1. Go to Customer Gateways, then click Create Customer Gateway.
    2. In the Name field, enter the desired gateway name.
    3. For Routing, select Static.
    4. In the IP Address field, enter the on-premise FortiGate's external address.
    To create a site-to-site VPN connection on AWS:

    AWS VPC VPN supports the following:

    • Internet Key Exchange version 2 (IKEv2)
    • NAT traversal
    • Four-byte ASN (in addition to two-byte ASN)
    • Reusable IP addresses for customer gateways
    • Additional encryption options including AES 256-bit encryption, SHA-2 hashing, and additional Diffie-Hellman groups
    • Configurable tunnel options
    • Custom private ASN for the Amazon side of a BGP session

    This example describes creating an IPsec site-to-site VPN.

    1. Go to VPN Connections, then click Create VPN Connection.
    2. In the Name tag field, enter the desired VPN connection name.
    3. From the Virtual Private Gateway dropdown list, select the VPG ID for the VPG created earlier.
    4. For Routing Options, select Static.
    5. In the IP Prefixes field, enter the CIDR of the networks behind your on-premise FortiGate.
    6. Leave the tunnel options blank. You will obtain this information from a configuration file download.
    To configure the on-premise FortiGate:
    1. After creating the VPN, select it in the VPN list, then click Download Configuration. This document contains information needed to configure the FortiGate correctly.
    2. You can configure the FortiGate using this downloaded configuration file. The example FortiGate has port1 with an external IP address of 35.188.119.246 and an internal IP address of 10.6.30.2/24. Port2 has an internal IP address of 10.1.100.3/24. The downloaded configuration file resembles the following. The most important information here is the remote-gw value, which in this case is 3.95.86.157, and the psksecret value.

      Run the following commands in the FortiOS CLI to configure the FortiGate, using the remote-gw and psksecret values from the downloaded configuration file as shown. When setting the destination for the static route, use the VPC's IPv4 CIDR:

      config vpn ipsec phase1-interface

      edit "examplephase1"

      set interface "port1"

      set keylife 28800

      set peertype any

      set proposal aes128-sha1

      set dhgrp 2

      set remote-gw 3.95.86.157

      set psksecret NlITFTQJfiVuRWkQui_A5IjNT_41VTtP

      set dpd-retryinterval 10

      next

      end

      config vpn ipsec phase2-interface

      edit "examplephase2"

      set phase1name "examplephase1"

      set proposal aes128-sha1

      set dhgrp 2

      set keylifeseconds 3600

      next

      end

      config router static

      edit 1

      set dst 10.0.0.0 255.255.0.0

      set device "examplephase1"

      next

      end

      config firewall policy

      edit 1

      set srcintf "examplephase1"

      set dstintf "port2"

      set srcaddr "all"

      set dstaddr "all"

      set action accept

      set schedule "always"

      set service "ALL"

      next

      edit 2

      set srcintf "port2"

      set dstintf "examplephase1"

      set srcaddr "all"

      set dstaddr "all"

      set action accept

      set schedule "always"

      set service "ALL"

      next

      end

    3. Run the diagnose vpn tunnel up examplephase2 command if the tunnel is not up automatically already.
    4. Check in the FortiOS GUI in VPN > IPsec Tunnels that the tunnel is up.

    5. In the AWS management console, check that the tunnel is up:

    6. After the tunnel is up, you must edit a custom route table and security group rules to achieve connectivity between a resource behind the FortiGate to a resource on the AWS cloud.
    7. On AWS, there are two tunnels for each created VPN. This example only shows connecting to one tunnel, but you can create the second tunnel in FortiOS as well. The second tunnel is for redundancy. If one tunnel goes down, the FortiGate can reach AWS resources using the other tunnel.
    Previous
    Next

    Connecting a local FortiGate to an AWS VPC VPN

    Connecting a local FortiGate to an AWS VPC VPN

    This recipe provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AWS VPC VPN via IPsec with static routing.

    Instances that you launch into an Amazon VPC can communicate with your own remote network via a site-to-site VPN between your on-premise FortiGate and AWS VPC VPN. You can enable access to your remote network from your VPC by configuring a virtual private gateway (VPG) and customer gateway to the VPC, then configuring the site-to-site VPC VPN.

    The following prerequisites must be met for this configuration:

    • An AWS VPC with some configured subnets, routing tables, security group rules, and so on
    • An on-premise FortiGate with an external IP address

    This recipe consists of the following steps:

    1. Create a VPG.
    2. Create a customer gateway.
    3. Create a site-to-site VPN connection on AWS.
    4. Configure the on-premise FortiGate.
    To create a VPG:

    A VPG is the VPN concentrator on the Amazon side of the site-to-site VPN connection. You can create a VPG and attach it to the VPC from which you want to create the site-to-site VPN connection.

    1. In the AWS management console, go to Virtual Private Gateways, then click Create Virtual Private Gateway.
    2. In the Name tag field, enter the desired gateway name.
    3. For static route configuration, the ASN is not important, as the ASN is for BGP routing. By default, the VPG is created with the default ASN, 64512. You cannot change the ASN once the VPG has been created.
    4. After creating the VPG, select it from the list of VPGs, and click Actions > Attach to VPC.
    5. On the Attach to VPC page, select the ID for the desired VPC from the VPC dropdown list.
    To create a customer gateway:

    In this example, the customer gateway refers to the on-premise FortiGate for the VPC VPN to connect to.

    1. Go to Customer Gateways, then click Create Customer Gateway.
    2. In the Name field, enter the desired gateway name.
    3. For Routing, select Static.
    4. In the IP Address field, enter the on-premise FortiGate's external address.
    To create a site-to-site VPN connection on AWS:

    AWS VPC VPN supports the following:

    • Internet Key Exchange version 2 (IKEv2)
    • NAT traversal
    • Four-byte ASN (in addition to two-byte ASN)
    • Reusable IP addresses for customer gateways
    • Additional encryption options including AES 256-bit encryption, SHA-2 hashing, and additional Diffie-Hellman groups
    • Configurable tunnel options
    • Custom private ASN for the Amazon side of a BGP session

    This example describes creating an IPsec site-to-site VPN.

    1. Go to VPN Connections, then click Create VPN Connection.
    2. In the Name tag field, enter the desired VPN connection name.
    3. From the Virtual Private Gateway dropdown list, select the VPG ID for the VPG created earlier.
    4. For Routing Options, select Static.
    5. In the IP Prefixes field, enter the CIDR of the networks behind your on-premise FortiGate.
    6. Leave the tunnel options blank. You will obtain this information from a configuration file download.
    To configure the on-premise FortiGate:
    1. After creating the VPN, select it in the VPN list, then click Download Configuration. This document contains information needed to configure the FortiGate correctly.
    2. You can configure the FortiGate using this downloaded configuration file. The example FortiGate has port1 with an external IP address of 35.188.119.246 and an internal IP address of 10.6.30.2/24. Port2 has an internal IP address of 10.1.100.3/24. The downloaded configuration file resembles the following. The most important information here is the remote-gw value, which in this case is 3.95.86.157, and the psksecret value.

      Run the following commands in the FortiOS CLI to configure the FortiGate, using the remote-gw and psksecret values from the downloaded configuration file as shown. When setting the destination for the static route, use the VPC's IPv4 CIDR:

      config vpn ipsec phase1-interface

      edit "examplephase1"

      set interface "port1"

      set keylife 28800

      set peertype any

      set proposal aes128-sha1

      set dhgrp 2

      set remote-gw 3.95.86.157

      set psksecret NlITFTQJfiVuRWkQui_A5IjNT_41VTtP

      set dpd-retryinterval 10

      next

      end

      config vpn ipsec phase2-interface

      edit "examplephase2"

      set phase1name "examplephase1"

      set proposal aes128-sha1

      set dhgrp 2

      set keylifeseconds 3600

      next

      end

      config router static

      edit 1

      set dst 10.0.0.0 255.255.0.0

      set device "examplephase1"

      next

      end

      config firewall policy

      edit 1

      set srcintf "examplephase1"

      set dstintf "port2"

      set srcaddr "all"

      set dstaddr "all"

      set action accept

      set schedule "always"

      set service "ALL"

      next

      edit 2

      set srcintf "port2"

      set dstintf "examplephase1"

      set srcaddr "all"

      set dstaddr "all"

      set action accept

      set schedule "always"

      set service "ALL"

      next

      end

    3. Run the diagnose vpn tunnel up examplephase2 command if the tunnel is not up automatically already.
    4. Check in the FortiOS GUI in VPN > IPsec Tunnels that the tunnel is up.

    5. In the AWS management console, check that the tunnel is up:

    6. After the tunnel is up, you must edit a custom route table and security group rules to achieve connectivity between a resource behind the FortiGate to a resource on the AWS cloud.
    7. On AWS, there are two tunnels for each created VPN. This example only shows connecting to one tunnel, but you can create the second tunnel in FortiOS as well. The second tunnel is for redundancy. If one tunnel goes down, the FortiGate can reach AWS resources using the other tunnel.
    Previous
    Next