We have Fortigates deployed which are behind a GWLB in AWS. Now we have requirement to deploy a site to site tunnel from the firewall.
Can we configure a site to site tunnel from the same LAN interface which is connecting to GWLB. If not should I associate another ENI to the firewall for terminating the tunnel on it.
#GWLB # AWS
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
You should be able to configure a tunnel from the same LAN interface connected to your GWLB. Question is probably better answered with a clearer picture of your topology and if you want to leverage the GWLB in the IPSec flow or not?
Attached is the diagram with GWLB and TGW. The VPN attachment to TGW is a S2S from On-prem. The interface of firewall in data subnet is private. As there is a site to site tunnel from on-prem to TGW we will have access from instances behind the on-prem firewall to AWS resources with private IPs.
1. Can we use the same interface in data subnet( which is used for geneve encapsulation for connecting to GWLB) to terminate a IPSEC tunnel.
2. Can we use the S2S from on-prem firewall "A" to TGW, to form the new S2S between another firewall "B" behind "A" and Firewall in inspection VPC. It is kind of IPSEC over IPSEC.
3. Do you recommend any other connectivity to have S2S from on-prem firewall "B" to fortigate in Inspection VPC with private IPs. Tunnel with Private IPs is due to application compliance standards.
So I am not an AWS expert by any means but you probably do not want to run IPSec under your GENEVE tunnel to GWLB.
Are you connecting on-prem devices to the AWS Fortigates ipsec tunnel? Or also other VPCs to the ipsec?
May I ask why you want the IPSec tunnel to terminate on the Fortigate and not the TGW?
Also why can't FW B not talk to TGW directly? Why does the IPSec have to go through FWA?
Hi Graham,
As the tunnel has to be formed between two Private IPs as peers so we cannot do it with TGW.
Is it possible to build IPSEC over GENEVE. The firewall doesn't have public IP on the interface, so we need to consider either Direct connect or IPSEC to TGW for initial connectivity for private IPs communication.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.