Description
This article describes how to configure redundant IPSEC tunnel to AWS VPC on premise FortiGate.
Scope
An on-premise FortiGate is connecting to an AWS VPC. The perquisites required before following this article:
- VPC already created in the AWS environment.
- EC2 instances already deployed in AWS VPC.
- The Network Interfaces have Source check disabled:
https://community.fortinet.com/t5/FortiGate/Technical-TIP-Traffic-from-AWS-LAN-hosts-toward-remote-s...
- Also, there are no routing issues in the VPC:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-General-troubleshooting-approach-to/...
Solution
1) Log in to the AWS management console and navigate to the VPC. Once inside the VPC management console, scroll the navigation pane on the left and reach out to the Virtual Private Gateway section under the VPN section:
2) Select 'Create virtual private gateway' on the top right section of the screen. This will prompt a name for the Virtual Private Gateway.
Provide a name and select 'Create Virtual Private Gateway':
'Create a Virtual Private Gateway':
3) The Virtual private gateway created above needs to be attached to the VPC (Virtual Private Cloud). Select the newly created VPG and perform an action to attach the VPG to the VPC:
Choose the VPC to associate this VPG with and select 'Attach VPC':
4) In the VPC management console, scroll the navigation pane on the left and reach out to the Customer Gateway section under the VPN section:
Select 'Create Customer gateway' on the top right section of the screen. This will prompt for a name, Gateway IP address of the FortiGate, Certificates (if any), and Device(optional) for the Customer Gateway. Provide all the information and select 'Create Customer Gateway':
5) In the VPC management console, scroll the navigation pane on the left and reach out to the 'Site-to-Site VPN connections' section under the VPN section:
Select 'Create VPN Connection' on the top right section of the screen. This will prompt for a name, Virtual Private gateway, customer gateway, and phase-2 selectors. Provide a name, the same Virtual Private gateway created in step-2 and the same Customer gateway created in step-4.
The next option will be to choose the 'Routing-options'.
SCENARIO-A: Dynamic.
If this option is chosen, the AWS environment will set up BGP automatically and will include that BGP information in the configuration file that it provides after the setup so that it can be configured on the FortiGate and the routing information can be exchanged.
Follow the below article to setup BGP on the tunnel interface in FortiGate:
https://community.fortinet.com/t5/FortiGate/Technical-Note-Dynamic-routing-BGP-over-IPsec-tunnel/ta-...
SCENARIO-B: STATIC.
If this option is chosen, static routing needs to be set up on the FortiGate along with the static route to the local subnet of FortiGate in AWS VPC. This can be achieved by going to the routing table of the VPC and adding a route as shown below:
Make sure to choose the Target as the VPG created in step-2.
6) Provide the Phase-2 selector information (if-any) and select 'Create VPN Connection':
7) Once the VPN connection has been completed, select download configuration:
Choose the appropriate options for FortiOS versions and IKE versions according to the needs:
8) The file will include information for the two IPSEC VPN connections along with 2 two BGP configurations (if Dynamic-routing was selected in step-9) Configure the IPSEC VPN tunnel and BGP (If included) by following the below articles:
10) Now a VERY IMPORTANT thing to note is that the two tunnels will be up all the time and AWS will use a random algorithm to handle traffic if FortiGate is doing load balancing for traffic across the tunnels. This could result in asymmetric routing as a packet could be sent out VPN-TUNNEL-1 and the reply to that traffic could be sent back via VPN-TUNNEL-2.
So, the redundancy logic needs to be established on the FortiGate using static route priority or SD-WAN or monitoring the tunnels, or altering the BGP routes learned from AWS.
Follow the articles below and choose the option that works best:
- Static Route priority:
- SD-WAN:
- Monitoring tunnels:
- BGP route alteration:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-prefix-compared-to-static-locally-orig...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-BGP-Weight-attribute-to-prefer-default...
11) Once the steps above have been followed and the IPSEC tunnels have been configured on FortiGate, the tunnel should come up:
Related documents:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-prefix-compared-to-static-locally-orig...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-BGP-Weight-attribute-to-prefer-default...
