Description
This article describes on building a Redundant IPSEC Tunnel between Google Cloud and FortiGate using BGP routing to achieve failover.
Scope
- On-premise FortiGate with a LAN subnet of 172.16.1.0/24.
- VPC deployed in GCP (Google Cloud Platform). Follow the link below to deploy one:
https://cloud.google.com/vpc/docs/create-modify-vpc-networks - Subnet created in GCP (Google Cloud Platform). Follow the link below to deploy one:
https://cloud.google.com/vpc/docs/subnets
Solution
1) Open the GCP Console. Navigate to VPC network -> IP addresses -> Reserve External Static IP address.
Reserve a Static Public IP address. The region must be the same as the VPC and the Subnet deployed.
2) Navigate to Hybrid Connectivity -> Cloud Routers -> CREATE ROUTER. A Cloud Router is required to handle the BGP peering.
The 'Create Router' Wizard provides the option to add custom routes or advertise all routes from the subnets inside the VPC. Choose according to requirement.
3) Navigate to Hybrid Connectivity -> VPN -> Create VPN Connection.
Choose the VPN type as required (Classic/HA):
CLASSIC VPN SETUP:
- Provide a name, description (optional), region (same as VPC), and choose the Public IP created in step 1.
- Add Remote peer (FortiGate) information (IKE version/PSK/BGP):
- Create a BGP-Session. Provide the BGP peer IP (FortiGate tunnel Interface), Peer ASN, and provide a BGP IP for Google Cloud Router.
Choose the Advertised routes to be manual/automatic. Specify the MED (Metric) Value for the routes to be advertised over tunnel-1.
Make sure the MED VALUE is lower in value than the tunnel-2 MED –VALUE (described in the next step).
- Add Tunnel-2 in the same setup wizard. Make sure to set MED Value for the BGP configuration of Tunnel-2 to be more than the MED Value in the BGP configuration for tunnel-1
HA VPN:
- Provide a Gateway Name along with the VPC and specify the same Region as the VPC.
- Add VPN tunnel information including Remote Peer IP (FortiGate IP).
- In the configure BGP section, choose the cloud-router created in step 2. Set up BGP configuration. Make sure to add a med value lower in tunnel-1 BGP configuration for advertised routes as compared to tunnel-2.
4) Navigate to Hybrid Connectivity -> Peer VPN Gateways. Choose the VPN created and download the configuration.
Choose Fortinet as a Vendor and OS accordingly and download the config file.
5) Use the configuration downloaded in Step 4 to add the VPN, Interface, and BGP configuration in the FortiGate. Follow the link below to setup IPSEC VPN with BGP in FortiGate:
https://community.fortinet.com/t5/FortiGate/Technical-Note-Dynamic-routing-BGP-over-IPsec-tunnel/ta-...
6) After successfully establishing the tunnels on the FortiGate, the tunnels on GCP should show Established:
7) BGP neighbourship can be verified as follows (get router info BGP summary):
It is seen that route 10.182.0.0/20 is learned from both neighbors but, Tunnel-1 advertises the route to FortiGate with a Metric of 100 (the lower the metric higher the priority of the route) and Tunnel-2 advertises with a Metric of 200 as configured under Step 3.
But, the route 172.16.1.0/24 advertised by the FortiGate to GCP through both the tunnels is with default metric and AS-Path causing load balance in the GCP environment.
8) Fixing Load Balance: A route map to alter outbound routes to GCP BGP peers needs to be set up and implemented to advertise the routes from FortiGate to GCP through tunnel-1 with a lower metric than the routes advertised to GCP through Tunnel-2.
Follow the link below to influence the routes advertised to GCP from FortiGate:
https://community.fortinet.com/t5/FortiGate/Technical-Note-Influencing-BGP-routes-using-Metric/ta-p/...
9) Verification: Doing a ping from a Device inside the GCP VPC Network to an on-premises network should not result in packet loss.
