Fortinet black logo

Cookbook

Configuring the Alibaba Cloud (AliCloud) VPN gateway

Copy Link
Copy Doc ID a4a06ec3-12a7-11e9-b86b-00505692583a:870485
Download PDF

Configuring the Alibaba Cloud (AliCloud) VPN gateway

  1. Log into Alibaba Cloud (AliCloud) and go to Products & Services > VPN Gateway.
  2. Ensure that the correct region is selected in the top left corner. Otherwise, you cannot see your VPC. Verify that the VPC has already been configured.
  3. Create the VPN gateway:
    1. Click Create VPN Gateway.
    2. In the Name field, enter the desired name.
    3. From the VPC dropdown list, select the desired VPC.
    4. For IPsec VPN, select Enable.
    5. Click Buy Now.
    6. Select VPN Gateway Agreement of Service.
    7. Click Activate.
  4. Return to the Alibaba Cloud (AliCloud) management console and verify that the VPN gateway has been created under VPNs > VPN Gateways.

  5. An IP address has been assigned to the VPN gateway. Note down this IP address, as you will need it later in the process.
  6. Register the FortiGate on your site as the customer gateway:
    1. Go to VPN > Customer Gateways, then click Create Customer Gateway.
    2. In the Name field, enter the FortiGate name.
    3. In the IP Address field, enter the FortiGate's Internet-facing interface.
    4. Click OK.
  7. Set parameters for the IPsec tunnel:
    1. Go to VPN > IPsec Connections, then click Create IPsec Connection.
    2. In the Name field, enter the IPsec connection name.
    3. For VPN Gateway and Customer Gateway, select those created in steps 3 and 6.
    4. In the Local Network field, enter the VPC subnet address.
    5. In the Remote Network field, enter the subnet address of the LAN on your site.
    6. Set Effective Immediately to Yes. If this option is set to No, the VPN gateway attempts to establish IPsec tunnel connection only when traffic occurs and may cause delays in sending traffic.
    7. Configure advanced settings:
      1. Click Advanced Configuration.
      2. Enter the Pre-Shared Key for authentication purposes. Your FortiGate will require this keyword in a later step.
      3. From the Version dropdown list, select ikev2.
      4. Leave the other parameters as-is.
      5. Under IPsec Configurations, modify SA Life Cycle (seconds) to 43200 so that it matches the FortiGate default value. Advanced Configuration contains two SA Life Cycle (seconds) fields: one for IKE configuration and one for IPsec configuration. Ensure that you are modifying the one under IPsec configuration.
      6. Click OK.
  8. Configure a static route that will route traffic to the IPsec tunnel:
    1. Go to VPC > Route Tables. You will see a routing table for your VPC. Click Manage.

    2. Click Add Route Entry.
    3. In the Destination CIDR Block field, enter the subnet address of the LAN on your site.
    4. From the Next Hop Type dropdown list, select VPN Gateway.
    5. From the VPN Gateway dropdown list, select the VPN gateway created in step 3.
    6. Click OK.

Configuring the Alibaba Cloud (AliCloud) VPN gateway

  1. Log into Alibaba Cloud (AliCloud) and go to Products & Services > VPN Gateway.
  2. Ensure that the correct region is selected in the top left corner. Otherwise, you cannot see your VPC. Verify that the VPC has already been configured.
  3. Create the VPN gateway:
    1. Click Create VPN Gateway.
    2. In the Name field, enter the desired name.
    3. From the VPC dropdown list, select the desired VPC.
    4. For IPsec VPN, select Enable.
    5. Click Buy Now.
    6. Select VPN Gateway Agreement of Service.
    7. Click Activate.
  4. Return to the Alibaba Cloud (AliCloud) management console and verify that the VPN gateway has been created under VPNs > VPN Gateways.

  5. An IP address has been assigned to the VPN gateway. Note down this IP address, as you will need it later in the process.
  6. Register the FortiGate on your site as the customer gateway:
    1. Go to VPN > Customer Gateways, then click Create Customer Gateway.
    2. In the Name field, enter the FortiGate name.
    3. In the IP Address field, enter the FortiGate's Internet-facing interface.
    4. Click OK.
  7. Set parameters for the IPsec tunnel:
    1. Go to VPN > IPsec Connections, then click Create IPsec Connection.
    2. In the Name field, enter the IPsec connection name.
    3. For VPN Gateway and Customer Gateway, select those created in steps 3 and 6.
    4. In the Local Network field, enter the VPC subnet address.
    5. In the Remote Network field, enter the subnet address of the LAN on your site.
    6. Set Effective Immediately to Yes. If this option is set to No, the VPN gateway attempts to establish IPsec tunnel connection only when traffic occurs and may cause delays in sending traffic.
    7. Configure advanced settings:
      1. Click Advanced Configuration.
      2. Enter the Pre-Shared Key for authentication purposes. Your FortiGate will require this keyword in a later step.
      3. From the Version dropdown list, select ikev2.
      4. Leave the other parameters as-is.
      5. Under IPsec Configurations, modify SA Life Cycle (seconds) to 43200 so that it matches the FortiGate default value. Advanced Configuration contains two SA Life Cycle (seconds) fields: one for IKE configuration and one for IPsec configuration. Ensure that you are modifying the one under IPsec configuration.
      6. Click OK.
  8. Configure a static route that will route traffic to the IPsec tunnel:
    1. Go to VPC > Route Tables. You will see a routing table for your VPC. Click Manage.

    2. Click Add Route Entry.
    3. In the Destination CIDR Block field, enter the subnet address of the LAN on your site.
    4. From the Next Hop Type dropdown list, select VPN Gateway.
    5. From the VPN Gateway dropdown list, select the VPN gateway created in step 3.
    6. Click OK.