Fortinet white logo
Fortinet white logo

Cookbook

Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM

Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM

Configure the cloud FortiGate-VM

To create an address for the VPN gateway:
  1. Go to Policy & Objects > Addresses and click Create New > Address.
  2. Set Name to local_subnet_10_0_2_0.
  3. Set IP/Netmask to 10.0.2.0/24.

  4. Click OK.
To configure a custom IPsec VPN:
  1. Go to VPN > IPsec Wizard.
  2. Set Name to Core_Dialup.
  3. Set Template type to Custom.

  4. Click Next.
  5. Configure Network settings:

    Remote Gateway

    Dialup User

    Interface

    port1

    NAT Traversal

    Enable

  6. Configure Authentication settings:

    Method

    Pre-shared Key

    Pre-shared Key

    Enter the pre-shared key.

    Version 1

    Mode

    Aggressive

    This setting allows the peer ID to be specified.

    Accept Types

    Specific peer ID

    Peer ID

    IaaS

    The other end of the tunnel needs to have its local ID set to IaaS.

  7. Leave the default Phase 1 Proposal settings and disable XAUTH.
  8. Configure the Phase 2 Selector settings:

    Name

    Ent_Core

    Local Address

    Named Address - local_subnet_10_0_2_0

    Remote Address

    Named Address - all

    This setting allows traffic originating from both the remote subnet 10.100.88.0 and the health checks from the VPN interface on the remote FortiGate. For increased security, each subnet can be specified individually.

  9. Click OK.
To configure remote and local tunnel IP addresses:
  1. Go to Network > Interfaces and edit the Core_Dialup interface under port1.
  2. Set IP to 172.16.200.1.
  3. Set Remote IP/Netmask to 172.16.200.2 255.255.255.0. This is where remote health check traffic will come from.
  4. Enable Administrative access for HTTPS, PING, and SSH.

  5. Click OK.
To configure a route to the remote subnet through the tunnel:
  1. Go to Network > Static Routes and click Create New.
  2. Set Destination to Subnet and enter the IP address and netmask: 10.100.88.0/255.255.255.0.
  3. Set Interface to Core_Dialup.

  4. Click OK.
To configure a firewall policy to allow traffic from the tunnel to port2:
  1. Go to Policy & Objects > IPv4 Policy and click Create New.
  2. Configure the following:

    Name

    Core_Dialup-to-port2

    Incoming Interface

    Core_Dialup

    Outgoing Interface

    port2

    Source

    all

    Destination

    local_subnet_10_0_2_0

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

  3. Configure the remaining settings as required.
  4. Click OK.

Configure the HQ FortiGate

To create an address for the VPN gateway:
  1. Go to Policy & Objects > Addresses and click Create New > Address.
  2. Set Name to remote_subnet_10_0_2_0.
  3. Set IP/Netmask to 10.0.2.0/24.
  4. Click OK.
To configure a custom IPsec VPN:
  1. Go to VPN > IPsec Wizard.
  2. Set Name to FGT_AWS_Tun.
  3. Set Template type to Custom.
  4. Click Next.
  5. Configure Network settings:

    Remote Gateway

    Static IP Address

    IP Address

    100.21.29.17

    Interface

    port5

    NAT Traversal

    Enable

  6. Configure Authentication settings:

    Method

    Pre-shared Key

    Pre-shared Key

    Enter the pre-shared key.

    Version 1

    Mode

    Aggressive

    This setting allows the peer ID to be specified.

    Accept Types

    Any peer ID

  7. Leave the default Phase 1 Proposal settings, except set Local ID to IaaS.
  8. Disable XAUTH.
  9. Configure the Phase 2 Selector settings:

    Name

    FGT_AWS_Tun

    Local Address

    Named Address - all

    This setting allows traffic originating from both the local subnet 10.100.88.0 and the health checks from the VPN interface. For increased security, each subnet can be specified individually.

    Remote Address

    Named Address - remote_subnet_10_0_2_0

  10. Click OK.
To configure local and remote tunnel IP addresses:
  1. Go to Network > Interfaces and edit the FGT_AWS_Tun interface under port5.
  2. Set IP to 172.16.200.2.
  3. Set Remote IP/Netmask to 172.16.200.1 255.255.255.0.
  4. Enable Administrative access for HTTPS, PING, and SSH.
  5. Click OK.
Note

Routing is defined when creating the SD-WAN interface. The firewall policy is created after the SD-WAN interface is defined.

Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM

Configuring the VPN overlay between the HQ FortiGate and cloud FortiGate-VM

Configure the cloud FortiGate-VM

To create an address for the VPN gateway:
  1. Go to Policy & Objects > Addresses and click Create New > Address.
  2. Set Name to local_subnet_10_0_2_0.
  3. Set IP/Netmask to 10.0.2.0/24.

  4. Click OK.
To configure a custom IPsec VPN:
  1. Go to VPN > IPsec Wizard.
  2. Set Name to Core_Dialup.
  3. Set Template type to Custom.

  4. Click Next.
  5. Configure Network settings:

    Remote Gateway

    Dialup User

    Interface

    port1

    NAT Traversal

    Enable

  6. Configure Authentication settings:

    Method

    Pre-shared Key

    Pre-shared Key

    Enter the pre-shared key.

    Version 1

    Mode

    Aggressive

    This setting allows the peer ID to be specified.

    Accept Types

    Specific peer ID

    Peer ID

    IaaS

    The other end of the tunnel needs to have its local ID set to IaaS.

  7. Leave the default Phase 1 Proposal settings and disable XAUTH.
  8. Configure the Phase 2 Selector settings:

    Name

    Ent_Core

    Local Address

    Named Address - local_subnet_10_0_2_0

    Remote Address

    Named Address - all

    This setting allows traffic originating from both the remote subnet 10.100.88.0 and the health checks from the VPN interface on the remote FortiGate. For increased security, each subnet can be specified individually.

  9. Click OK.
To configure remote and local tunnel IP addresses:
  1. Go to Network > Interfaces and edit the Core_Dialup interface under port1.
  2. Set IP to 172.16.200.1.
  3. Set Remote IP/Netmask to 172.16.200.2 255.255.255.0. This is where remote health check traffic will come from.
  4. Enable Administrative access for HTTPS, PING, and SSH.

  5. Click OK.
To configure a route to the remote subnet through the tunnel:
  1. Go to Network > Static Routes and click Create New.
  2. Set Destination to Subnet and enter the IP address and netmask: 10.100.88.0/255.255.255.0.
  3. Set Interface to Core_Dialup.

  4. Click OK.
To configure a firewall policy to allow traffic from the tunnel to port2:
  1. Go to Policy & Objects > IPv4 Policy and click Create New.
  2. Configure the following:

    Name

    Core_Dialup-to-port2

    Incoming Interface

    Core_Dialup

    Outgoing Interface

    port2

    Source

    all

    Destination

    local_subnet_10_0_2_0

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

  3. Configure the remaining settings as required.
  4. Click OK.

Configure the HQ FortiGate

To create an address for the VPN gateway:
  1. Go to Policy & Objects > Addresses and click Create New > Address.
  2. Set Name to remote_subnet_10_0_2_0.
  3. Set IP/Netmask to 10.0.2.0/24.
  4. Click OK.
To configure a custom IPsec VPN:
  1. Go to VPN > IPsec Wizard.
  2. Set Name to FGT_AWS_Tun.
  3. Set Template type to Custom.
  4. Click Next.
  5. Configure Network settings:

    Remote Gateway

    Static IP Address

    IP Address

    100.21.29.17

    Interface

    port5

    NAT Traversal

    Enable

  6. Configure Authentication settings:

    Method

    Pre-shared Key

    Pre-shared Key

    Enter the pre-shared key.

    Version 1

    Mode

    Aggressive

    This setting allows the peer ID to be specified.

    Accept Types

    Any peer ID

  7. Leave the default Phase 1 Proposal settings, except set Local ID to IaaS.
  8. Disable XAUTH.
  9. Configure the Phase 2 Selector settings:

    Name

    FGT_AWS_Tun

    Local Address

    Named Address - all

    This setting allows traffic originating from both the local subnet 10.100.88.0 and the health checks from the VPN interface. For increased security, each subnet can be specified individually.

    Remote Address

    Named Address - remote_subnet_10_0_2_0

  10. Click OK.
To configure local and remote tunnel IP addresses:
  1. Go to Network > Interfaces and edit the FGT_AWS_Tun interface under port5.
  2. Set IP to 172.16.200.2.
  3. Set Remote IP/Netmask to 172.16.200.1 255.255.255.0.
  4. Enable Administrative access for HTTPS, PING, and SSH.
  5. Click OK.
Note

Routing is defined when creating the SD-WAN interface. The firewall policy is created after the SD-WAN interface is defined.