Chapter 10. Cloud Technologies

10.4 IPsec VPN from FortiGate (on Premise) to AWS

Learning Objectives

  • Configure a Customer Gateway in AWS
  • Configure a Virtual Private Gateway
  • Create an IPsec VPN between FortiGate on-Premise and AWS
Scenario: We are going to connect on premise FortiGate to AWS Virtual Gateway. This is going to be IPsec VPN between FortiGate and AWS. First, we will configure AWS and then connect FortiGate through Port1 to AWS Virtual Gateway

 

Main scenario IPSEC VPN from FortiGate (on premise) to AWS
Figure 10.60: Main scenario
Table 10.4: On-premise devices configuration
Device Configuration Access
FortiGate Port 1: DHCP Client

Port 2: 192.168.10.1/24

 Port1: HTTP, HTTPS, PING

 
 WebTerm1 192.168.10.2/24

AWS Configuration

  1. Create a VPC for AWS as follows:
    • Name tag: AWS Subnet
    • IPv4 CIDR: 10.0.0.0/16
    Step1-Create a VPC
    Figure 10.61: Create a VPC
    Step2-Select VPC only
    Figure 10.62: Create a VPC named “AWS Subnet”
  2. Create a private subnet under AWS VPC as follows:
    • VPC: AWS Subnet
    • Subnet Name: Private
    • IPv4 CIDR block: 10.0.1.0/24
    Create a subnet under AWS VPC
    Figure 10.63: Create a subnet under AWS VPC
  3. Create an internet gateway as follows:
    Create an Internet Gateway
    Figure 10.64: Create an internet gateway
    Figure 10.65: Select Name as AWS-IGW
    Figure 10.66: Attach the internet gateway to VPC
    Step4-Attach the Internet Gateway to VPC
    Figure 10.67: Attach the internet gateway to VPC
  4. Create a static route to the internet gateway (AWS-IGW). Edit Routes as follows:
    Figure 10.68: Edit routes
    Step2- Add new route 0.0.0.0/0 to your Internet Gateway
    Figure 10.69: Add a new route 0.0.0.0/0 to your internet gateway
    Add new route 0.0.0.0/0 to your Internet Gateway
    Figure 10.70: Add a new route 0.0.0.0/0 to your internet gateway
    Step4-Route Tables
    Figure 10.71: Route tables overview
  5. Create a customer gateway as follows:
    Step1-Create a customer gateway
    Figure 10.72: Create a customer gateway
    Step2-Create a Customer Gateway
    Figure 10.73: Create a customer gateway
  6. Create a virtual private gateway as follows:
    Step1-Create a Virtual Private Gateway
    Figure 10.74: Create a virtual private gateway
    Step2-Create a Virtual Private Gateway on FortiGate
    Figure 10.75: Create a virtual private gateway on FortiGate
    Step3-Attach Virtual Private Gateway to VPC
    Figure 10.76: Attach virtual private gateway to VPC
    Step4-Attach Virtual Private Gateway to VPC
    Figure 10.77: Attach virtual private gateway to VPC
  7. Create a Site-to-Site VPN connection as follows:
    • Name Tag: VPNAWS
    • Target gateway type: Virtual private gateway
    • Virtual Private Gateway: FortiGate
    • Customer Gateway ID: AWS-VPN-FG
    • Routing options: Static
    • Static IP prefixes: 192.168.10.0/24
    • Local IPv4 network CIDR: 192.168.10.0/24
    • Remote IPV4 network CIDR: 10.0.1.0/24
    • Tunnel 1 and Tunnel 2 options: leave it as default
    Step1-Create a Site-To-Site VPN connection
    Figure 10.78: Create a site-to-site VPN connection
    Step2-Create a Site-To-Site VPN connection with FortiGate
    Figure 10.79: Create a site-to-site VPN connection with FortiGate
    Figure 10.80: Create a site-to-site VPN connection with FortiGate
    Step4-Create a Site-To-Site VPN connection with FortiGate
    Figure 10.81: Create a site-to-site VPN connection with FortiGate
    Step5-Download configuration
    Figure 10.82: Download configuration
    Step6- Verify public IP address
    Figure 10.83: Verify public IP address
  8. Open the file that you have downloaded on AWS. It will show phase 1 and phase 2 configuration.
    Step7- IPSEC Phase 1
    Figure 10.84: IPsec Phase 1
    Step8-IPSEC Phase 2
    Figure 10.85: IPsec Phase 2

FortiGate Configuration

  1. First, we will configure port1 and port2 IP addresses. port1 should be set as DHCP client and port2 should be set as 192.168.10.1/24.
    Set an IP address for port2
    Figure 10.86: Set an IP address for port2
    Port1 and Port2 IP addresses
    Figure 10.87: Port1 and Port2 IP addresses
  2. Create a static route to port1 (WAN Port) as Figure 10.88.
    Create a static route
    Figure 10.88: Create a static route
  3. Create an IPsec Wizard as a custom as follows:
    • Remote Gateway IP Address: Public_IP_Address_AWS_Virtual_Gateway
    • Nat Traversal: Disable
    • Pre-shared Key: The same as AWS key(psWvIznNXaD3e1bWB9mVrODkrYALmrBO)
    • Local Address: 192.168.10.0/24
    • Remote Address: 10.0.0.0/16
    • Phase 1: Encryption: AES128, Authentication: SHA-1, DH: 2, lifetime: 28800
    • Phase 2: Encryption: AES128, Authentication: SHA-1, DH: 2, lifetime: 3600
    • IKE: version 2
    Step1- Create a custom VPN
    Figure 10.89: Create a custom VPN
    Create a custom VPN
    Figure 10.90: Create a custom VPN
    Step 3- Create a custom VPN
    Figure 10.91: Create a custom VPN
    Step 4- Create a custom VPN
    Figure 10.92: Create a custom VPN
  4. Set an IP address for FG-AWS tunnel. We will set the IP address based on the configuration file.
    Figure 10.93: Configuration file for setting an IP address for FG-AWS tunnel
    Step 2- Set an IP address for FG-AWS tunnel
    Figure 10.94: Set an IP address for FG-AWS tunnel
    Step 3- Set an IP address for FG-AWS tunnel
    Figure 10.95: Set an IP address for FG-AWS tunnel
  5. Create a static route from FG-LAN to AWS-LAN. We will set a static route based on the configuration file.
    Create a static route from FG-LAN to AWS-LAN
    Figure 10.96: Configuration file for creating a static route from FG-LAN to AWS-LAN
    Step 2- Create static route from FG-LAN to AWS-LAN
    Figure 10.97: Create a static route from FG-LAN to AWS-LAN
    Step 3- Create a static route from FG-LAN to AWS-LAN
    Figure 10.98: Create a static route from FG-LAN to AWS-LAN
  6. Create a firewall policy from Port2 to Tunnel and from Tunnel to Port2. We will create a subnet for LAN on premise and a subnet for AWS. Also, in site-to-site VPN, NAT should be disabled here.
    Create a subnet for local network
    Figure 10.99: Create a subnet for local network
    Create a subnet for AWS local network
    Figure 10.100: Create a subnet for AWS local network
    Create a policy from port2 to FG-AWS Tunnel
    Figure 10.101: Create a policy from port2 to FG-AWS Tunnel
    Create a policy from FG-AWS Tunnel to port2
    Figure 10.102: Create a policy from FG-AWS Tunnel to port2
    Create a policy from AWS-FG Tunnel to port2
    Figure 10.103: Create a policy from AWS-FG Tunnel to port2
    Firewall Policies
    Figure 10.104: Firewall Policies Overview

Verify Connections

If you navigate to IPsec Tunnel, the status should be up.

Verify tunnel status in FortiGate (on premise)
Figure 10.105: Verify tunnel status in FortiGate (on premise)
Verify tunnel status in AWS
Figure 10.106: Verify tunnel status in AWS

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall Copyright © 2023 by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book