Fortinet white logo
Fortinet white logo

Cookbook

IKEv2 IPsec site-to-site VPN to an AWS VPN gateway

IKEv2 IPsec site-to-site VPN to an AWS VPN gateway

This is a sample configuration of an IPsec site-to-site VPN connection between an on-premise FortiGate and an AWS virtual private cloud (VPC).

AWS uses unique identifiers to manipulate a VPN connection's configuration. Each VPN connection is assigned an identifier and is associated with two other identifiers: the customer gateway ID for the FortiGate and virtual private gateway ID.

This example includes the following IDs:

  • VPN connection ID: vpn-07e988ccc1d46f749
  • Customer gateway ID: cgw-0440c1aebed2f418a
  • Virtual private gateway ID

This example assumes that you have configured VPC-related settings in the AWS management portal as described in Create and configure your VPC.

This example includes creating and configuring two tunnels. You must configure both tunnels on your FortiGate.

To configure IKEv2 IPsec site-to-site VPN to an AWS VPN gateway:
  1. Configure the first VPN tunnel:
    1. Configure Internet Key Exchange (IKE).
    2. Configure IPsec.
    3. Configure the tunnel interface.
    4. Configure border gateway protocol (BGP).
    5. Configure firewall policies.
  2. Configure the second VPN tunnel:
    1. Configure Internet Key Exchange (IKE).
    2. Configure IPsec.
    3. Configure the tunnel interface.
    4. Configure BGP.
    5. Configure firewall policies.
To configure IKE for the first VPN tunnel:

A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman (DH), lifetime, and key parameters. These sample configurations fulfill the minimum requirements for AES128, SHA1, and DH Group 2. Category VPN connections in the GovCloud AWS region have a minimum requirement of AES128, SHA2, and DH Group 14. To take advantage of AES256, SHA256, or other DH groups such as 14-18, 22, 23, and 24, you must modify these sample configuration files. Higher parameters are only available for VPNs of category "VPN", not for "VPN-Classic".

Your FortiGate's external interface's address must be static. Your FortiGate may reside behind a device performing NAT. To ensure NAT traversal can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, it is recommended to disable NAT traversal.

Begin configuration in the root VDOM. The interface name must be shorter than 15 characters. It is best if the name is shorter than 12 characters. IPsec dead peer detection (DPD) causes periodic messages to be sent to ensure a security association remains operational.

config vpn ipsec phase1-interface

edit vpn-07e988ccc1d46f749-0

set interface "wan1"

set dpd enable

set local-gw 35.170.66.108

set dhgrp 2

set proposal aes128-sha1

set keylife 28800

set remote-gw 3.214.239.164

set psksecret iCelks0UOob8z4SYMRM6zlx.rU2C3jth

set dpd-retryinterval 10

next

end

To configure IPsec for the first VPN tunnel:

The IPsec transform set defines the encryption, authentication, and IPsec mode parameters.

config vpn ipsec phase2-interface

edit "vpn-07e988ccc1d46f749-0"

set phase1name "vpn-07e988ccc1d46f749-0"

set proposal aes128-sha1

set dhgrp 2

set pfs enable

set keylifeseconds 3600

next

end

To configure the tunnel interface for the first VPN tunnel:

You must configure a tunnel interface as the logical interface associated with the tunnel. All traffic routed to the tunnel interface must be encrypted and transmitted to the VPC. Similarly, traffic from the VPC will be logically received on this interface.

You must configure the interface's address with your FortiGate's address. If the address changes, you must recreate the FortiGate and VPN connection with Amazon VPC.

The tcp-mss option causes the router to reduce the TCP packets' maximum segment size to prevent packet fragmentation.

config system interface

edit "vpn-07e988ccc1d46f749-0"

set vdom "root"

set ip 169.254.45.90 255.255.255.255

set allowaccess ping

set type tunnel

set tcp-mss 1379

set remote-ip 169.254.45.89

set mtu 1427

set interface "wan1"

next

end

To configure BGP for the first VPN tunnel:

BGP is used within the tunnel to exchange prefixes between the virtual private gateway and your FortiGate. The virtual private gateway announces the prefix according to your VPC.

The local BGP autonomous system number (ASN) (65000) is configured as part of your FortiGate. If you must change the ASN, you must recreate the FortiGate and VPN connection with AWS.

Your FortiGate may announce a default route (0.0.0.0/0) to AWS. This is done using a prefix list and route map in FortiOS.

config router bgp

set as 65000

config neighbor

edit 169.254.45.89

set remote-as 64512

end

end

end

config router bgp

config neighbor

edit 169.254.45.89

set capability-default-originate enable

end

end

end

config router prefix-list

edit "default_route"

config rule

edit 1

set prefix 0.0.0.0 0.0.0.0

next

end

end

end

config router route-map

edit "routemap1"

config rule

edit 1

set match-ip-address "default_route"

next

end

next

end

To advertise additional prefixes to the Amazon VPC, add these prefixes to the network statement and identify the prefix you want to advertise. Ensure that the prefix is present in the routing table of the device with a valid next-hop. If you want to advertise 192.168.0.0/16 to Amazon, you would do the following:

config router bgp

config network

edit 1

set prefix 192.168.0.0 255.255.0.0

next

end

To configure firewall policies for the first VPN tunnel:

Create a firewall policy permitting traffic from your local subnet to the VPC subnet, and vice-versa.

This example policy permits all traffic from the local subnet to the VPC. First, view all existing policies using the show firewall policy command. Then, create a new firewall policy starting with the next available policy ID. In this example, running show firewall policy displayed policies 1, 2, 3, and 4, so you would proceed to create policy 5.

config firewall policy

edit 5

set srcintf "vpn-07e988ccc1d46f749-0"

set dstintf internal

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ANY

next

end

config firewall policy

edit 5

set srcintf internal

set dstintf "vpn-07e988ccc1d46f749-0"

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ANY

next

end

To configure IKE for the second VPN tunnel:

A policy is established for the supported ISAKMP encryption, authentication, DH, lifetime, and key parameters. These sample configurations fulfill the minimum requirements for AES128, SHA1, and DH Group 2. Category VPN connections in the GovCloud AWS region have a minimum requirement of AES128, SHA2, and DH Group 14. To take advantage of AES256, SHA256, or other DH groups such as 14-18, 22, 23, and 24, you must modify these sample configuration files. Higher parameters are only available for VPNs of category "VPN", not for "VPN-Classic".

Your FortiGate's external interface's address must be static. Your FortiGate may reside behind a device performing NAT. To ensure NAT traversal can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, it is recommended to disable NAT traversal.

Begin configuration in the root VDOM. The interface name must be shorter than 15 characters. It is best if the name is shorter than 12 characters. IPsec DPD causes periodic messages to be sent to ensure a security association remains operational.

config vpn ipsec phase1-interface

edit vpn-07e988ccc1d46f749-1

set interface "wan1"

set dpd enable

set local-gw 35.170.66.108

set dhgrp 2

set proposal aes128-sha1

set keylife 28800

set remote-gw 100.25.187.58

set psksecret IjFzyDneUtDdAT4RNmQ85apUG3y4Akre

set dpd-retryinterval 10

next

end

To configure IPsec for the second VPN tunnel:

The IPsec transform set defines the encryption, authentication, and IPsec mode parameters.

config vpn ipsec phase2-interface

edit "vpn-07e988ccc1d46f749-1"

set phase1name "vpn-07e988ccc1d46f749-1"

set proposal aes128-sha1

set dhgrp 2

set pfs enable

set keylifeseconds 3600

next

end

To configure the tunnel interface for the second VPN tunnel:

You must configure a tunnel interface as the logical interface associated with the tunnel. All traffic routed to the tunnel interface must be encrypted and transmitted to the VPC. Similarly, traffic from the VPC will be logically received on this interface.

You must configure the interface's address with your FortiGate's address. If the address changes, you must recreate the FortiGate and VPN connection with Amazon VPC.

The tcp-mss option causes the router to reduce the TCP packets' maximum segment size to prevent packet fragmentation.

config system interface

edit "vpn-07e988ccc1d46f749-1"

set vdom "root"

set ip 169.254.44.162 255.255.255.255

set allowaccess ping

set type tunnel

set tcp-mss 1379

set remote-ip 169.254.44.161

set mtu 1427

set interface "wan1"

next

end

To configure BGP for the second VPN tunnel:

BGP is used within the tunnel to exchange prefixes between the virtual private gateway and your FortiGate. The virtual private gateway announces the prefix according to your VPC.

The local BGP ASN (65000) is configured as part of your FortiGate. If you must change the ASN, you must recreate the FortiGate and VPN connection with AWS.

Your FortiGate may announce a default route (0.0.0.0/0) to AWS. This is done using a prefix list and route map in FortiOS.

config router bgp

set as 65000

config neighbor

edit 169.254.44.161

set remote-as 64512

end

config router bgp

config neighbor

edit 169.254.44.161

set capability-default-originate enable

end

end

config router prefix-list

edit "default_route"

config rule

edit 1

set prefix 0.0.0.0 0.0.0.0

next

end

end

end

config router route-map

edit "routemap1"

config rule

edit 1

set match-ip-address "default_route"

next

end

next

end

To advertise additional prefixes to the Amazon VPC, add these prefixes to the network statement and identify the prefix you want to advertise. Ensure that the prefix is present in the routing table of the device with a valid next-hop. If you want to advertise 192.168.0.0/16 to Amazon, you would do the following:

config router bgp

config network

edit 1

set prefix 192.168.0.0 255.255.0.0

next

end

To configure firewall policies for the second VPN tunnel:

Create a firewall policy permitting traffic from your local subnet to the VPC subnet, and vice-versa.

This example policy permits all traffic from the local subnet to the VPC. First, view all existing policies using the show firewall policy command. Then, create a new firewall policy starting with the next available policy ID. In this example, running show firewall policy displayed policies 1, 2, 3, 4, and 5, so you would proceed to create policy 6.

config firewall policy

edit 6

set srcintf "vpn-07e988ccc1d46f749-1"

set dstintf internal

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ANY

next

end

config firewall policy

edit 6

set srcintf internal

set dstintf "vpn-07e988ccc1d46f749-1"

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ANY

next

end

IKEv2 IPsec site-to-site VPN to an AWS VPN gateway

IKEv2 IPsec site-to-site VPN to an AWS VPN gateway

This is a sample configuration of an IPsec site-to-site VPN connection between an on-premise FortiGate and an AWS virtual private cloud (VPC).

AWS uses unique identifiers to manipulate a VPN connection's configuration. Each VPN connection is assigned an identifier and is associated with two other identifiers: the customer gateway ID for the FortiGate and virtual private gateway ID.

This example includes the following IDs:

  • VPN connection ID: vpn-07e988ccc1d46f749
  • Customer gateway ID: cgw-0440c1aebed2f418a
  • Virtual private gateway ID

This example assumes that you have configured VPC-related settings in the AWS management portal as described in Create and configure your VPC.

This example includes creating and configuring two tunnels. You must configure both tunnels on your FortiGate.

To configure IKEv2 IPsec site-to-site VPN to an AWS VPN gateway:
  1. Configure the first VPN tunnel:
    1. Configure Internet Key Exchange (IKE).
    2. Configure IPsec.
    3. Configure the tunnel interface.
    4. Configure border gateway protocol (BGP).
    5. Configure firewall policies.
  2. Configure the second VPN tunnel:
    1. Configure Internet Key Exchange (IKE).
    2. Configure IPsec.
    3. Configure the tunnel interface.
    4. Configure BGP.
    5. Configure firewall policies.
To configure IKE for the first VPN tunnel:

A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman (DH), lifetime, and key parameters. These sample configurations fulfill the minimum requirements for AES128, SHA1, and DH Group 2. Category VPN connections in the GovCloud AWS region have a minimum requirement of AES128, SHA2, and DH Group 14. To take advantage of AES256, SHA256, or other DH groups such as 14-18, 22, 23, and 24, you must modify these sample configuration files. Higher parameters are only available for VPNs of category "VPN", not for "VPN-Classic".

Your FortiGate's external interface's address must be static. Your FortiGate may reside behind a device performing NAT. To ensure NAT traversal can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, it is recommended to disable NAT traversal.

Begin configuration in the root VDOM. The interface name must be shorter than 15 characters. It is best if the name is shorter than 12 characters. IPsec dead peer detection (DPD) causes periodic messages to be sent to ensure a security association remains operational.

config vpn ipsec phase1-interface

edit vpn-07e988ccc1d46f749-0

set interface "wan1"

set dpd enable

set local-gw 35.170.66.108

set dhgrp 2

set proposal aes128-sha1

set keylife 28800

set remote-gw 3.214.239.164

set psksecret iCelks0UOob8z4SYMRM6zlx.rU2C3jth

set dpd-retryinterval 10

next

end

To configure IPsec for the first VPN tunnel:

The IPsec transform set defines the encryption, authentication, and IPsec mode parameters.

config vpn ipsec phase2-interface

edit "vpn-07e988ccc1d46f749-0"

set phase1name "vpn-07e988ccc1d46f749-0"

set proposal aes128-sha1

set dhgrp 2

set pfs enable

set keylifeseconds 3600

next

end

To configure the tunnel interface for the first VPN tunnel:

You must configure a tunnel interface as the logical interface associated with the tunnel. All traffic routed to the tunnel interface must be encrypted and transmitted to the VPC. Similarly, traffic from the VPC will be logically received on this interface.

You must configure the interface's address with your FortiGate's address. If the address changes, you must recreate the FortiGate and VPN connection with Amazon VPC.

The tcp-mss option causes the router to reduce the TCP packets' maximum segment size to prevent packet fragmentation.

config system interface

edit "vpn-07e988ccc1d46f749-0"

set vdom "root"

set ip 169.254.45.90 255.255.255.255

set allowaccess ping

set type tunnel

set tcp-mss 1379

set remote-ip 169.254.45.89

set mtu 1427

set interface "wan1"

next

end

To configure BGP for the first VPN tunnel:

BGP is used within the tunnel to exchange prefixes between the virtual private gateway and your FortiGate. The virtual private gateway announces the prefix according to your VPC.

The local BGP autonomous system number (ASN) (65000) is configured as part of your FortiGate. If you must change the ASN, you must recreate the FortiGate and VPN connection with AWS.

Your FortiGate may announce a default route (0.0.0.0/0) to AWS. This is done using a prefix list and route map in FortiOS.

config router bgp

set as 65000

config neighbor

edit 169.254.45.89

set remote-as 64512

end

end

end

config router bgp

config neighbor

edit 169.254.45.89

set capability-default-originate enable

end

end

end

config router prefix-list

edit "default_route"

config rule

edit 1

set prefix 0.0.0.0 0.0.0.0

next

end

end

end

config router route-map

edit "routemap1"

config rule

edit 1

set match-ip-address "default_route"

next

end

next

end

To advertise additional prefixes to the Amazon VPC, add these prefixes to the network statement and identify the prefix you want to advertise. Ensure that the prefix is present in the routing table of the device with a valid next-hop. If you want to advertise 192.168.0.0/16 to Amazon, you would do the following:

config router bgp

config network

edit 1

set prefix 192.168.0.0 255.255.0.0

next

end

To configure firewall policies for the first VPN tunnel:

Create a firewall policy permitting traffic from your local subnet to the VPC subnet, and vice-versa.

This example policy permits all traffic from the local subnet to the VPC. First, view all existing policies using the show firewall policy command. Then, create a new firewall policy starting with the next available policy ID. In this example, running show firewall policy displayed policies 1, 2, 3, and 4, so you would proceed to create policy 5.

config firewall policy

edit 5

set srcintf "vpn-07e988ccc1d46f749-0"

set dstintf internal

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ANY

next

end

config firewall policy

edit 5

set srcintf internal

set dstintf "vpn-07e988ccc1d46f749-0"

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ANY

next

end

To configure IKE for the second VPN tunnel:

A policy is established for the supported ISAKMP encryption, authentication, DH, lifetime, and key parameters. These sample configurations fulfill the minimum requirements for AES128, SHA1, and DH Group 2. Category VPN connections in the GovCloud AWS region have a minimum requirement of AES128, SHA2, and DH Group 14. To take advantage of AES256, SHA256, or other DH groups such as 14-18, 22, 23, and 24, you must modify these sample configuration files. Higher parameters are only available for VPNs of category "VPN", not for "VPN-Classic".

Your FortiGate's external interface's address must be static. Your FortiGate may reside behind a device performing NAT. To ensure NAT traversal can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, it is recommended to disable NAT traversal.

Begin configuration in the root VDOM. The interface name must be shorter than 15 characters. It is best if the name is shorter than 12 characters. IPsec DPD causes periodic messages to be sent to ensure a security association remains operational.

config vpn ipsec phase1-interface

edit vpn-07e988ccc1d46f749-1

set interface "wan1"

set dpd enable

set local-gw 35.170.66.108

set dhgrp 2

set proposal aes128-sha1

set keylife 28800

set remote-gw 100.25.187.58

set psksecret IjFzyDneUtDdAT4RNmQ85apUG3y4Akre

set dpd-retryinterval 10

next

end

To configure IPsec for the second VPN tunnel:

The IPsec transform set defines the encryption, authentication, and IPsec mode parameters.

config vpn ipsec phase2-interface

edit "vpn-07e988ccc1d46f749-1"

set phase1name "vpn-07e988ccc1d46f749-1"

set proposal aes128-sha1

set dhgrp 2

set pfs enable

set keylifeseconds 3600

next

end

To configure the tunnel interface for the second VPN tunnel:

You must configure a tunnel interface as the logical interface associated with the tunnel. All traffic routed to the tunnel interface must be encrypted and transmitted to the VPC. Similarly, traffic from the VPC will be logically received on this interface.

You must configure the interface's address with your FortiGate's address. If the address changes, you must recreate the FortiGate and VPN connection with Amazon VPC.

The tcp-mss option causes the router to reduce the TCP packets' maximum segment size to prevent packet fragmentation.

config system interface

edit "vpn-07e988ccc1d46f749-1"

set vdom "root"

set ip 169.254.44.162 255.255.255.255

set allowaccess ping

set type tunnel

set tcp-mss 1379

set remote-ip 169.254.44.161

set mtu 1427

set interface "wan1"

next

end

To configure BGP for the second VPN tunnel:

BGP is used within the tunnel to exchange prefixes between the virtual private gateway and your FortiGate. The virtual private gateway announces the prefix according to your VPC.

The local BGP ASN (65000) is configured as part of your FortiGate. If you must change the ASN, you must recreate the FortiGate and VPN connection with AWS.

Your FortiGate may announce a default route (0.0.0.0/0) to AWS. This is done using a prefix list and route map in FortiOS.

config router bgp

set as 65000

config neighbor

edit 169.254.44.161

set remote-as 64512

end

config router bgp

config neighbor

edit 169.254.44.161

set capability-default-originate enable

end

end

config router prefix-list

edit "default_route"

config rule

edit 1

set prefix 0.0.0.0 0.0.0.0

next

end

end

end

config router route-map

edit "routemap1"

config rule

edit 1

set match-ip-address "default_route"

next

end

next

end

To advertise additional prefixes to the Amazon VPC, add these prefixes to the network statement and identify the prefix you want to advertise. Ensure that the prefix is present in the routing table of the device with a valid next-hop. If you want to advertise 192.168.0.0/16 to Amazon, you would do the following:

config router bgp

config network

edit 1

set prefix 192.168.0.0 255.255.0.0

next

end

To configure firewall policies for the second VPN tunnel:

Create a firewall policy permitting traffic from your local subnet to the VPC subnet, and vice-versa.

This example policy permits all traffic from the local subnet to the VPC. First, view all existing policies using the show firewall policy command. Then, create a new firewall policy starting with the next available policy ID. In this example, running show firewall policy displayed policies 1, 2, 3, 4, and 5, so you would proceed to create policy 6.

config firewall policy

edit 6

set srcintf "vpn-07e988ccc1d46f749-1"

set dstintf internal

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ANY

next

end

config firewall policy

edit 6

set srcintf internal

set dstintf "vpn-07e988ccc1d46f749-1"

set srcaddr all

set dstaddr all

set action accept

set schedule always

set service ANY

next

end