Chapter 10. Cloud Technologies
10.4 IPsec VPN from FortiGate (on Premise) to AWS
Learning Objectives
- Configure a Customer Gateway in AWS
- Configure a Virtual Private Gateway
- Create an IPsec VPN between FortiGate on-Premise and AWS
Scenario: We are going to connect on premise FortiGate to AWS Virtual Gateway. This is going to be IPsec VPN between FortiGate and AWS. First, we will configure AWS and then connect FortiGate through Port1 to AWS Virtual Gateway
| Device | Configuration | Access |
|---|---|---|
| FortiGate | Port 1: DHCP Client
Port 2: 192.168.10.1/24 |
Port1: HTTP, HTTPS, PING
|
| WebTerm1 | 192.168.10.2/24 | – |
AWS Configuration
- Create a VPC for AWS as follows:
- Name tag: AWS Subnet
- IPv4 CIDR: 10.0.0.0/16
- Create a private subnet under AWS VPC as follows:
- VPC: AWS Subnet
- Subnet Name: Private
- IPv4 CIDR block: 10.0.1.0/24
- Create an internet gateway as follows:
- Create a static route to the internet gateway (AWS-IGW). Edit Routes as follows:
- Create a customer gateway as follows:
- Create a virtual private gateway as follows:
- Create a Site-to-Site VPN connection as follows:
- Name Tag: VPNAWS
- Target gateway type: Virtual private gateway
- Virtual Private Gateway: FortiGate
- Customer Gateway ID: AWS-VPN-FG
- Routing options: Static
- Static IP prefixes: 192.168.10.0/24
- Local IPv4 network CIDR: 192.168.10.0/24
- Remote IPV4 network CIDR: 10.0.1.0/24
- Tunnel 1 and Tunnel 2 options: leave it as default
- Open the file that you have downloaded on AWS. It will show phase 1 and phase 2 configuration.
FortiGate Configuration
- First, we will configure port1 and port2 IP addresses. port1 should be set as DHCP client and port2 should be set as 192.168.10.1/24.
- Create a static route to port1 (WAN Port) as Figure 10.88.
- Create an IPsec Wizard as a custom as follows:
- Remote Gateway IP Address: Public_IP_Address_AWS_Virtual_Gateway
- Nat Traversal: Disable
- Pre-shared Key: The same as AWS key(psWvIznNXaD3e1bWB9mVrODkrYALmrBO)
- Local Address: 192.168.10.0/24
- Remote Address: 10.0.0.0/16
- Phase 1: Encryption: AES128, Authentication: SHA-1, DH: 2, lifetime: 28800
- Phase 2: Encryption: AES128, Authentication: SHA-1, DH: 2, lifetime: 3600
- IKE: version 2
- Set an IP address for FG-AWS tunnel. We will set the IP address based on the configuration file.
- Create a static route from FG-LAN to AWS-LAN. We will set a static route based on the configuration file.
- Create a firewall policy from Port2 to Tunnel and from Tunnel to Port2. We will create a subnet for LAN on premise and a subnet for AWS. Also, in site-to-site VPN, NAT should be disabled here.
Verify Connections
If you navigate to IPsec Tunnel, the status should be up.