Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Configuring the FortiGate

  1. Log into FortiOS.
  2. Create the IPsec tunnel:
    1. Go to VPN > IPsec Tunnels, then click Create New.
    2. Configure the basic settings:
      1. In the Name field, enter the desired name.
      2. For Template Type, select Custom.
      3. Click Next.
    3. Configure the network settings:
      1. In the IP Address field, enter the VPN gateway's IP address as provided by Alibaba Cloud (AliCloud) in step 5 of Configuring the Alibaba Cloud (AliCloud) VPN gateway.
      2. From the Interface dropdown list, select an Internet-facing interface, such as wan1.
      3. If you want to automatically check the available of the remote VPN gateway, set Dead Peer Detection to On Idle.
    4. Configure authentication:
      1. Authentication, from the Method dropdown list, select Pre-shared Key.
      2. In the Pre-Shared Key field, enter the pre-shared key entered for the Alibaba Cloud (AliCloud) VPN gateway in step 7 of Configuring the Alibaba Cloud (AliCloud) VPN gateway.
      3. For IKE Version, select 2.
    5. Under Diffie-Hellman Groups, select 2. The Alibaba Cloud (AliCloud) VPN gateway's default DH group is 2. Leave the other parameters as-is.
    6. For Local Address, select Subnet from the dropdown list, then enter the LAN subnet address.
    7. For Remote Address, select Subnet, then enter the VPC subnet address on Alibaba Cloud (AliCloud).
    8. Under Advanced, also select 2 under Diffie-Hellman Groups. Leave the other parameters as-is, then click OK.
  3. To pass traffic to and from the IPsec tunnel, you must create a policy that allow transaction between the FortiGate and Alibaba Cloud (AliCloud). You must first create an address object which represents the subnet on your VPC:
    1. Go to Policy & Objects > Addresses, then click Create New > Address.
    2. In the Name field, enter the address object's name.
    3. From the Type dropdown list, select Subnet.
    4. In the Subnet/IP Range field, enter the VPC subnet address.
    5. Enable Static Route Configuration. This allows you to use this address object as a static route destination in a later step.
  4. Create a policy that permits outgoing sessions to the IPsec tunnel.
    1. Go to Policy & Objects > IPv4 Policy, then click Create New.
    2. In the Name field, enter the desired policy name.
    3. In the Incoming Interface field, select your local LAN interface.
    4. In the Outgoing Interface field, select the IPsec tunnel created in step 2.
    5. For Source, select all, or specify any address objects if you want to allow access only from specific addresses.
    6. For Destination, select the address object created for your VPC subnet in step 3.
    7. For Service, select all or specify any services you want to allow.
    8. Ensure that NAT is not enabled.
    9. Click OK.
  5. Create a policy for incoming sessions from the VPC. Repeat the steps above, except for the following:
    1. In the Incoming Interface field, select the IPsec tunnel created in step 2.
    2. In the Outgoing Interface field, select your local LAN interface.
    3. For Source, select subnets on your VPC.
  6. To avoid packet drops and fragmentation, it is recommended to limit the TCP maximum segment size (MSS) being sent and received. For both firewall policies, configure the following in the CLI console:

    config firewall policy

    edit <policy-id>

    set tcp-mss-sender 1350

    set tcp-mss-receiver 1350

    next

    end

  7. Go to Monitor > IPsec Monitor. If all configuration is complete as desired, the IP tunnel displays as being up. Otherwise, you must review and correct your settings.

  8. Create a static route to forward traffic from the LAN to Alibaba Cloud (AliCloud):
    1. Go to Network > Static Routes, then select Create New.
    2. For Destination, select Named Address. From the list, select your remote subnet.
    3. From the Interface dropdown list, select the IPsec tunnel created in step 2.
    4. Click OK.
  9. FortiOS is now connected to Alibaba Cloud (AliCloud) via IPsec. You should see the traffic counter in Monitor > IPsec Monitor.

Configuring the FortiGate

  1. Log into FortiOS.
  2. Create the IPsec tunnel:
    1. Go to VPN > IPsec Tunnels, then click Create New.
    2. Configure the basic settings:
      1. In the Name field, enter the desired name.
      2. For Template Type, select Custom.
      3. Click Next.
    3. Configure the network settings:
      1. In the IP Address field, enter the VPN gateway's IP address as provided by Alibaba Cloud (AliCloud) in step 5 of Configuring the Alibaba Cloud (AliCloud) VPN gateway.
      2. From the Interface dropdown list, select an Internet-facing interface, such as wan1.
      3. If you want to automatically check the available of the remote VPN gateway, set Dead Peer Detection to On Idle.
    4. Configure authentication:
      1. Authentication, from the Method dropdown list, select Pre-shared Key.
      2. In the Pre-Shared Key field, enter the pre-shared key entered for the Alibaba Cloud (AliCloud) VPN gateway in step 7 of Configuring the Alibaba Cloud (AliCloud) VPN gateway.
      3. For IKE Version, select 2.
    5. Under Diffie-Hellman Groups, select 2. The Alibaba Cloud (AliCloud) VPN gateway's default DH group is 2. Leave the other parameters as-is.
    6. For Local Address, select Subnet from the dropdown list, then enter the LAN subnet address.
    7. For Remote Address, select Subnet, then enter the VPC subnet address on Alibaba Cloud (AliCloud).
    8. Under Advanced, also select 2 under Diffie-Hellman Groups. Leave the other parameters as-is, then click OK.
  3. To pass traffic to and from the IPsec tunnel, you must create a policy that allow transaction between the FortiGate and Alibaba Cloud (AliCloud). You must first create an address object which represents the subnet on your VPC:
    1. Go to Policy & Objects > Addresses, then click Create New > Address.
    2. In the Name field, enter the address object's name.
    3. From the Type dropdown list, select Subnet.
    4. In the Subnet/IP Range field, enter the VPC subnet address.
    5. Enable Static Route Configuration. This allows you to use this address object as a static route destination in a later step.
  4. Create a policy that permits outgoing sessions to the IPsec tunnel.
    1. Go to Policy & Objects > IPv4 Policy, then click Create New.
    2. In the Name field, enter the desired policy name.
    3. In the Incoming Interface field, select your local LAN interface.
    4. In the Outgoing Interface field, select the IPsec tunnel created in step 2.
    5. For Source, select all, or specify any address objects if you want to allow access only from specific addresses.
    6. For Destination, select the address object created for your VPC subnet in step 3.
    7. For Service, select all or specify any services you want to allow.
    8. Ensure that NAT is not enabled.
    9. Click OK.
  5. Create a policy for incoming sessions from the VPC. Repeat the steps above, except for the following:
    1. In the Incoming Interface field, select the IPsec tunnel created in step 2.
    2. In the Outgoing Interface field, select your local LAN interface.
    3. For Source, select subnets on your VPC.
  6. To avoid packet drops and fragmentation, it is recommended to limit the TCP maximum segment size (MSS) being sent and received. For both firewall policies, configure the following in the CLI console:

    config firewall policy

    edit <policy-id>

    set tcp-mss-sender 1350

    set tcp-mss-receiver 1350

    next

    end

  7. Go to Monitor > IPsec Monitor. If all configuration is complete as desired, the IP tunnel displays as being up. Otherwise, you must review and correct your settings.

  8. Create a static route to forward traffic from the LAN to Alibaba Cloud (AliCloud):
    1. Go to Network > Static Routes, then select Create New.
    2. For Destination, select Named Address. From the list, select your remote subnet.
    3. From the Interface dropdown list, select the IPsec tunnel created in step 2.
    4. Click OK.
  9. FortiOS is now connected to Alibaba Cloud (AliCloud) via IPsec. You should see the traffic counter in Monitor > IPsec Monitor.