IKEv2 IPsec site-to-site VPN to an AWS VPN gateway

This is a sample configuration of an IPsec site-to-site VPN connection between an on-premise FortiGate and an AWS virtual private cloud (VPC).

AWS uses unique identifiers to manipulate a VPN connection's configuration. Each VPN connection is assigned an identifier and is associated with two other identifiers: the customer gateway ID for the FortiGate and virtual private gateway ID.

This example includes the following IDs:

  • VPN connection ID: vpn-07e988ccc1d46f749
  • Customer gateway ID: cgw-0440c1aebed2f418a
  • Virtual private gateway ID

This example assumes that you have configured VPC-related settings in the AWS management portal as described in Create a Secure Connection using AWS VPC.

This example includes creating and configuring two tunnels. You must configure both tunnels on your FortiGate.

To configure IKEv2 IPsec site-to-site VPN to an AWS VPN gateway:
  1. Configure the first VPN tunnel:
    1. Configure Internet Key Exchange (IKE).
    2. Configure IPsec.
    3. Configure the tunnel interface.
    4. Configure border gateway protocol (BGP).
    5. Configure firewall policies.
  2. Configure the second VPN tunnel:
    1. Configure Internet Key Exchange (IKE).
    2. Configure IPsec.
    3. Configure the tunnel interface.
    4. Configure BGP.
    5. Configure firewall policies.
To configure IKE for the first VPN tunnel:

A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman (DH), lifetime, and key parameters. These sample configurations fulfill the minimum requirements for AES128, SHA1, and DH Group 2. Category VPN connections in the GovCloud AWS region have a minimum requirement of AES128, SHA2, and DH Group 14. To take advantage of AES256, SHA256, or other DH groups such as 14-18, 22, 23, and 24, you must modify these sample configuration files. Higher parameters are only available for VPNs of category "VPN", not for "VPN-Classic".

Your FortiGate's external interface's address must be static. Your FortiGate may reside behind a device performing NAT. To ensure NAT traversal can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, it is recommended to disable NAT traversal.

Begin configuration in the root VDOM. The interface name must be shorter than 15 characters. It is best if the name is shorter than 12 characters. IPsec dead peer detection (DPD) causes periodic messages to be sent to ensure a security association remains operational.

config vpn ipsec phase1-interface

edit vpn-07e988ccc1d46f749-0

set interface "wan1"

set dpd enable

set local-gw 35.170.66.108

set dhgrp 2

set proposal aes128-sha1

set keylife 28800

set remote-gw 3.214.239.164

set psksecret iCelks0UOob8z4SYMRM6zlx.rU2C3jth

set dpd-retryi