Hi,
I've been tasked with trying to get an IPSEC hardware VPN up and running to an Amazon VPC from a Fortigate 60D. I was wondering if there was any walkthrough for such a thing. I'm most of the way there, but stumbling on a few points. The Amazon documentation for Fortigates appears to be out of date. There's a great cookbook doc for Azure but I don't see a corresponding one for Amazon. Any pointers would be greatly appreciated.
Thanks,
Donald.
It's not out of date, quite afew have posted here and in the AWS forums
Here's my write up. It should be a based to get you going.
http://socpuppet.blogspot.com/2014/02/dual-vpc-terminate-on-fortigate-firewall.html
PCNSE
NSE
StrongSwan
Created on 01-07-2022 03:05 AM Edited on 01-07-2022 12:46 PM By Anonymous
Nice, thanks for sharing the information, it really helps students like me.
Hi,
Thanks for your reply, it was very informative. My comment about being out of date is that the Fortigate doesn't allow names for objects over 15 characters. Not much of an issue.
I'm trying to work with simple static routing at the moment before stepping up to BGP as this is just a test. I'm most of the way there as I have the VPN established and I can successfully ping the remote gateway. An instance inside the VPC subnet can ping the internal interface of the Fortigate. But I can't ping the instance inside the VPC subnet. I can't see in the Fortigate config how to add in that additional range (172.30.0.0/24)
I have this successfully working from a Draytek Vigor and can ping and SSH the instance on the subnet, so I don't think it's anything to do with the routing at the VPC side. For the vigor it was only a case of adding an remote network to the VPN config.
I tried setting up a static route for 172.30.0.0/24 to go through the tunnel interface, but that doesn't appear to help. The firewall rules are pretty relaxed at the moment and allow any traffic between the VPC and the internal network.
Any suggestions are greatly appreciated.
Cheers,
Donald.
That's news to me on a 5 character limit if your talking about address or adrrgroup
e.g
config firewall address edit "12345678901234567890" <------here set uuid d244014c-62ed-51e5-1450-ebca81549b76 set subnet 1.1.1.0 255.255.255.252 next end
On the issues have you ran diag debug flow for the traffic and ensured adv/receive routes are correct at both sides ( fgt and AWS ) ?
PCNSE
NSE
StrongSwan
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.