Connecting a local FortiGate to an AWS FortiGate via site-to-site VPN
This guide provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AWS FortiGate via site-to-site IPsec VPN with static routing. You can access resources that are protected behind a FortiGate on AWS from your local environment by using a site-to-site VPN.
The following depicts the network topology for this sample deployment:
The following prerequisites must be met for this configuration:
- A FortiGate located on AWS with some resources behind it. In this example, the AWS FortiGate has port1 connected to WAN and port2 connected to local LAN.
- An on-premise FortiGate. For your local environment, determine if your FortiGate has a publicly accessible IP address or if it is behind NAT. In this example, the on-premise FortiGate is behind NAT.
This recipe consists of the following steps:
- Create a VPN on the local FortiGate to the AWS FortiGate.
- Create a VPN on the AWS FortiGate to the local FortiGate.
- Establish a connection between the FortiGates.
To create a VPN on the local FortiGate to the AWS FortiGate:
- In FortiOS on the local FortiGate, go to VPN > IPsec Wizard.
- On the VPN Setup tab, configure the following:
- In the Name field, enter the desired name.
- For Template Type, select Site to Site.
- For Remote Device Type, select FortiGate.
- For NAT Configuration, select the appropriate option. In this example, since the local FortiGate is behind NAT, This site is behind NAT is selected. Click Next. For non-dialup situations where the local FortiGate has an external IP address, select No NAT between sites.
- On the Authentication tab, configure the following:
- For Remote Device, select IP Address.
- In the IP Address field, enter the AWS FortiGate's elastic IP address. In this example, it is 3.95.141.75.
- For Outgoing Interface, allow FortiOS to detect the interface via routing lookup.
- For Authentication Method, select Pre-shared Key.
- In the Pre-shared Key field, enter the desired key. Click Next.
- On the Policy & Routing tab, configure the following:
- For Local Interface, select the desired local interface. In this example, port2 is selected. The Local Subnets field should then auto-populate.
- In the Remote Subnets field, enter the remote subnet on the other side of the AWS FortiGate. In this example, it is 172.31.199.0/24.
- For Internet Access, select None.
- Click Create. The IPsec Wizard creates the following:
- Firewall addresses for local and remote subnets
- Firewall address groups containing the above firewall addresses
- phase-1 and phase-2 interfaces
- Static route and blackhole route
- Two firewall policies: one for traffic to the tunnel interface and one for traffic from the tunnel interface
To create a VPN on the AWS FortiGate to the local FortiGate:
- In FortiOS on the AWS FortiGate, go to VPN > IPsec Wizard.
- On the VPN Setup tab, configure the following:
- In the Name field, enter the desired name.
- For Template Type, select Site to Site.
- For Remote Device Type, select FortiGate.
- For NAT Configuration, select This site is behind NAT. This is the correct configuration since the AWS FortiGate has an elastic IP address. Click Next.
- On the Authentication tab, configure the following:
- For Incoming Interface, select the WAN-facing incoming interface. In this example, it is port1.
- For Authentication Method, select Pre-shared Key.
- In the Pre-shared Key field, enter the same key configured on the local FortiGate. Click Next.
- On the Policy & Routing tab, configure the following:
- For Local Interface, select the desired local interface. In this example, port2 is selected. The Local Subnets field should then auto-populate.
- In the Remote Subnets field, enter the remote subnet on the other side of the local FortiGate. In this example, it is 10.1.100.0/24.
- For Internet Access, select None.
- Click Create. The IPsec Wizard creates the following:
- Firewall addresses for local and remote subnets
- Firewall address groups containing the above firewall addresses
- phase-1 and phase-2 interfaces
- Static route and blackhole route
- Two firewall policies: one for traffic to the tunnel interface and one for traffic from the tunnel interface
To establish a connection between the FortiGates:
- The tunnels are down until you initiate a connection from the local FortiGate to the AWS FortiGate. In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor.
- Right-click the phase-2 interface, and select Bring Up.
- In FortiOS on the AWS FortiGate, go to Monitor > IPsec Monitor and verify that the connection is up.
The elastic IP address can be considered as one to one to the FortiGate's IP address, even though the port IP address may be an internal IP address. |