Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM
Configure the cloud FortiGate-VM
To create an address for the VPN gateway:
- Go to Policy & Objects > Addresses and click Create New > Address.
- Set Name to local_subnet_10_0_2_0.
- Set IP/Netmask to 10.0.2.0/24.
- Click OK.
To configure a custom IPsec VPN:
- Go to VPN > IPsec Wizard.
- Set Name to Core_Dialup.
- Set Template type to Custom.
- Click Next.
- Configure Network settings:
Remote Gateway
Dialup User
Interface
port1
NAT Traversal
Enable
- Configure Authentication settings:
Method
Pre-shared Key
Pre-shared Key
Enter the pre-shared key.
Version 1 Mode
Aggressive
This setting allows the peer ID to be specified.
Accept Types Specific peer ID
Peer ID
IaaS
The other end of the tunnel needs to have its local ID set to IaaS.
- Leave the default Phase 1 Proposal settings and disable XAUTH.
- Configure the Phase 2 Selector settings:
Name
Ent_Core
Local Address
Named Address - local_subnet_10_0_2_0
Remote Address
Named Address - all
This setting allows traffic originating from both the remote subnet 10.100.88.0 and the health checks from the VPN interface on the remote FortiGate. For increased security, each subnet can be specified individually.
- Click OK.
To configure remote and local tunnel IP addresses:
- Go to Network > Interfaces and edit the Core_Dialup interface under port1.
- Set IP to 172.16.200.1.
- Set Remote IP/Netmask to 172.16.200.2 255.255.255.0. This is where remote health check traffic will come from.
- Enable Administrative access for HTTPS, PING, and SSH.
- Click OK.
To configure a route to the remote subnet through the tunnel:
- Go to Network > Static Routes and click Create New.
- Set Destination to Subnet and enter the IP address and netmask: 10.100.88.0/255.255.255.0.
- Set Interface to Core_Dialup.
- Click OK.
To configure a firewall policy to allow traffic from the tunnel to port2:
- Go to Policy & Objects > IPv4 Policy and click Create New.
- Configure the following:
Name
Core_Dialup-to-port2
Incoming Interface
Core_Dialup
Outgoing Interface
port2
Source
all
Destination
local_subnet_10_0_2_0
Schedule
always
Service
ALL
Action
ACCEPT
- Configure the remaining settings as required.
- Click OK.
Configure the HQ FortiGate
To create an address for the VPN gateway:
- Go to Policy & Objects > Addresses and click Create New > Address.
- Set Name to remote_subnet_10_0_2_0.
- Set IP/Netmask to 10.0.2.0/24.
- Click OK.
To configure a custom IPsec VPN:
- Go to VPN > IPsec Wizard.
- Set Name to FGT_AWS_Tun.
- Set Template type to Custom.
- Click Next.
- Configure Network settings:
Remote Gateway
Static IP Address
IP Address
100.21.29.17
Interface
port5
NAT Traversal
Enable
- Configure Authentication settings:
Method
Pre-shared Key
Pre-shared Key
Enter the pre-shared key.
Version 1 Mode
Aggressive
This setting allows the peer ID to be specified.
Accept Types Any peer ID
- Leave the default Phase 1 Proposal settings, except set Local ID to IaaS.
- Disable XAUTH.
- Configure the Phase 2 Selector settings:
Name
FGT_AWS_Tun
Local Address
Named Address - all
This setting allows traffic originating from both the local subnet 10.100.88.0 and the health checks from the VPN interface. For increased security, each subnet can be specified individually.
Remote Address
Named Address - remote_subnet_10_0_2_0
- Click OK.
To configure local and remote tunnel IP addresses:
- Go to Network > Interfaces and edit the FGT_AWS_Tun interface under port5.
- Set IP to 172.16.200.2.
- Set Remote IP/Netmask to 172.16.200.1 255.255.255.0.
- Enable Administrative access for HTTPS, PING, and SSH.
- Click OK.
Routing is defined when creating the SD-WAN interface. The firewall policy is created after the SD-WAN interface is defined. |