Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lohith07
New Contributor II

Site to Site tunnel from Fortigate which is behind a GWLB in AWS

We have Fortigates deployed which are behind a GWLB in AWS. Now we have requirement to deploy a site to site tunnel from the firewall. 

 

Can we configure a site to site tunnel from the same LAN interface which is connecting to GWLB. If not should I associate another ENI to the firewall for terminating the tunnel on it.

 

#GWLB # AWS

5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Hello,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Anthony-Fortinet Community Team.
gfleming
Staff
Staff

You should be able to configure a tunnel from the same LAN interface connected to your GWLB. Question is probably better answered with a clearer picture of your topology and if you want to leverage the GWLB in the IPSec flow or not? 

Cheers,
Graham
Lohith07
New Contributor II

Lohith07_0-1675059275819.png

Attached is the diagram with GWLB and TGW.  The VPN attachment to TGW is a S2S from On-prem. The interface of firewall in data subnet is private.  As there is a site to site tunnel from on-prem to TGW we will  have access from instances behind the on-prem firewall to AWS resources with private IPs.

 

1. Can we use the same interface in data subnet( which is used for geneve encapsulation for connecting to GWLB) to terminate a IPSEC tunnel.

2. Can we use the S2S from on-prem firewall "A" to TGW, to form the new S2S between another firewall "B" behind "A" and Firewall in inspection VPC. It is kind of IPSEC over IPSEC.

 

3. Do you recommend any other connectivity to have S2S from on-prem firewall "B" to fortigate in Inspection VPC with private IPs. Tunnel with Private IPs is due to application compliance standards.

gfleming

So I am not an AWS expert by any means but you probably do not want to run IPSec under your GENEVE tunnel to GWLB.

 

Are you connecting on-prem devices to the AWS Fortigates ipsec tunnel? Or also other VPCs to the ipsec?

 

May I ask why you want the IPSec tunnel to terminate on the Fortigate and not the TGW?

 

Also why can't  FW B not talk to TGW directly? Why does the IPSec have to go through FWA?

Cheers,
Graham
Lohith07
New Contributor II

Hi Graham,

 

As the tunnel has to be formed between two Private IPs as peers so we cannot do it with TGW.

 

Is it possible to build IPSEC over GENEVE. The firewall doesn't have public IP on the interface, so we need to consider either Direct connect or IPSEC to TGW for initial connectivity for private IPs communication.

Labels
Top Kudoed Authors