Description
This article describes how to configure the IPSec site-to-site VPN between FortiGate and AWS.
Scope
FortiGate.
Solution
Go to VPN -> IPsec Tunnels, select 'Create new', enter a Name for the tunnel select 'Custom', and select 'Next'.
Set the Remote Gateway to Static IP Address and include the gateway IP Address provided by AWS. Set the Local Interface to FortiGate WAN interface.
Enable NAT traversal. (! NAT Traversal is enabled by default but if the FortiGate is not behind a NAT/PAT device, deselect NAT Traversal.)
Enable NAT traversal. (! NAT Traversal is enabled by default but if the FortiGate is not behind a NAT/PAT device, deselect NAT Traversal.)
Set Dead Peer Detection to 'on demand'.
Under Authentication, enter a Pre-shared Key and ensure that IKEv1 is enabled and Mode as Main.
Under Phase 1 Proposal set the Encryption algorithm combinations to the following: Encryption: aes128 and Authentication: sha1
DH group: 2
Key Lifetime: 28800
DH group: 2
Key Lifetime: 28800
Scroll down to Phase 2 Selectors and enter the respective local and remote subnet.
Expand the Advanced section, Set the Encryption: 'AES128' and Authentication: 'SHA1'
Expand the Advanced section, Set the Encryption: 'AES128' and Authentication: 'SHA1'
Select 'Enable Replay Detection'
Select 'Enable Perfect Forward Secrecy'
Enable 'Autokey Keep Alive' and click 'ok'.
Enable 'Autokey Keep Alive' and click 'ok'.
Set the Diffie-Hellman Group: '2' and Key lifetime: 'Seconds' and Seconds: '3600'
Example configuration in the CLI:
config vpn ipsec phase1-interface
edit "fortigatetoAWS"
set interface "port1"
set keylife 28800
set peertype any
set net-device disable
set proposal aes128-sha1
set dhgrp 2
set remote-gw x.x.x.x
set psksecret xxxxxx
next
end
edit "fortigatetoAWS"
set interface "port1"
set keylife 28800
set peertype any
set net-device disable
set proposal aes128-sha1
set dhgrp 2
set remote-gw x.x.x.x
set psksecret xxxxxx
next
end
config vpn ipsec phase2-interface
edit "fortigatetoAWS"
set phase1name "fortigatetoAWS"
set proposal aes128-sha1
set dhgrp 2
set auto-negotiate enable
set keylifeseconds 3600
next
end
edit "fortigatetoAWS"
set phase1name "fortigatetoAWS"
set proposal aes128-sha1
set dhgrp 2
set auto-negotiate enable
set keylifeseconds 3600
next
end
Creating the firewall object:
Go to Policy & Objects -> Addresses and create a firewall object for the VPN tunnel local and remote subnets.
In this example:
Local subnet: 192.168.10.0/24
Remote subnet: 192.168.100.0/24
Example configuration in the CLI:
config firewall address
edit "fortigatetoAWS-local"
set subnet 192.168.10.0 255.255.255.0
next
edit "fortigatetoAWS-remote"
set subnet 192.168.100.0 255.255.255.0
next
end
edit "fortigatetoAWS-local"
set subnet 192.168.10.0 255.255.255.0
next
edit "fortigatetoAWS-remote"
set subnet 192.168.100.0 255.255.255.0
next
end
Creating the FortiGate firewall policies:
Go to Policy & Objects -> Firewall Policy and create new firewall policies for the site-to-site connection that allow outgoing traffic and incoming traffic through the tunnel.
Outgoing traffic policy:
Source interface: the LAN interface, destination interface: VPN tunnel, Source Address as local subnet object, and Destination Address as remote subnet object.
Source interface: the LAN interface, destination interface: VPN tunnel, Source Address as local subnet object, and Destination Address as remote subnet object.
Select the services that need to be allowed, Schedule: always, and set the action to accept. Ensure that NAT is disabled.
Incoming traffic policy:
Source interface: VPN tunnel, destination interface: the LAN interface, Source Address: remote subnet object, and Destination Address as local subnet object.
Source interface: VPN tunnel, destination interface: the LAN interface, Source Address: remote subnet object, and Destination Address as local subnet object.
Select the services that need to be allowed and set the action to accept. Ensure that NAT is disabled.
Example configuration in the CLI:
config firewall policy
edit 0
set name "LAN to AWS"
set srcintf "port2"
set dstintf "fortigatetoAWS"
set action accept
set srcaddr "fortigatetoAWS-local"
set dstaddr "fortigatetoAWS-remote"
set schedule "always"
set service "ALL"
next
edit 0
edit 0
set name "LAN to AWS"
set srcintf "port2"
set dstintf "fortigatetoAWS"
set action accept
set srcaddr "fortigatetoAWS-local"
set dstaddr "fortigatetoAWS-remote"
set schedule "always"
set service "ALL"
next
edit 0
set name "AWS to LAN"
set srcintf "fortigatetoAWS"
set dstintf "port2"
set action accept
set srcaddr "fortigatetoAWS-remote"
set dstaddr "fortigatetoAWS-local"
set schedule "always"
set service "ALL"
next
end
set srcintf "fortigatetoAWS"
set dstintf "port2"
set action accept
set srcaddr "fortigatetoAWS-remote"
set dstaddr "fortigatetoAWS-local"
set schedule "always"
set service "ALL"
next
end
Set MTU and MSS on the tunnel by performing this from the CLI:
config system interface
edit <vpn interface name>
set mtu 1427
set tcp-mss 1379
next
end
edit <vpn interface name>
set mtu 1427
set tcp-mss 1379
next
end
To create the route: Go to Network -> Static Route and select 'Create New'.
- Destination IP/Mask: remote subnet
- Device: vpn-interface
- Select 'Ok'.
