Chapter 10- Cloud Technologies

10-4 IPSEC VPN from FortiGate (on premise) to AWS

Learning Objectives

  • Configure a Customer Gateway in AWS
  • Configure a Virtual Private Gateway
  • Create an IPSEC VPN between FortiGate on-Premise and AWS
Scenario: We are going to connect on premise FortiGate to AWS Virtual Gateway. This is going to be IPSEC VPN between FortiGate and AWS. First, we will configure AWS and then connect FortiGate through Port1 to AWS Virtual Gateway

 

Main scenario IPSEC VPN from FortiGate (on premise) to AWS
Figure 10-60: Main scenario
Table 10-4: On-premise devices configuration
Device Configuration Access
FortiGate Port 1: DHCP Client

Port 2: 192.168.10.1/24

 Port1: HTTP, HTTPS, PING

 
 WebTerm-1 192.168.10.2/24

AWS Configuration

1- Create a VPC for AWS as follows:

  • Name tag : AWS Subnet
  • IPv4 CIDR: 10.0.0.0/16
Step1-Create a VPC
Figure 10-61: Step1-Create a VPC

 

Step2-Select VPC only
Figure 10-62: Step 2- Create a VPC named “AWS Subnet”

2- Create a private subnet under AWS VPC as follows:

  • VPC: AWS Subnet
  • Subnet Name: Private
  • IPv4 CIDR block: 10.0.1.0/24
Create a subnet under AWS VPC
Figure 10-63: Step 3- Create a subnet under AWS VPC

3- Create an Internet gateway as follows:

Create an Internet Gateway
Figure 10-64: Step1- Create an Internet Gateway
Figure 10-65: Step2- Select Name as AWS-IGW

 

Figure 10-66: Step3-Attach the Internet Gateway to VPC

 

Step4-Attach the Internet Gateway to VPC
Figure 10-67: Step4-Attach the Internet Gateway to VPC

4- Create a static route to the Internet Gateway(AWS-IGW). Edit Routes as follows:

Figure 10-68: Step1-Edit routes
Step2- Add new route 0.0.0.0/0 to your Internet Gateway
Figure 10-69: Step2- Add a new route 0.0.0.0/0 to your Internet Gateway

 

Add new route 0.0.0.0/0 to your Internet Gateway
Figure 10-70: Step3-Add a new route 0.0.0.0/0 to your Internet Gateway
Step4-Route Tables
Figure 10-71: Step4-Route tables overview

5- Create a customer gateway as follows:

Step1-Create a customer gateway
Figure 10-72: Step1-Create a customer gateway
Step2-Create a Customer Gateway
Figure 10-73: Step2-Create a Customer Gateway

6- Create a virtual private gateway as follows:

Step1-Create a Virtual Private Gateway
Figure 10-74: Step1-Create a Virtual Private Gateway

 

Step2-Create a Virtual Private Gateway on FortiGate
Figure 10-75: Step2-Create a Virtual Private Gateway on FortiGate

 

Step3-Attach Virtual Private Gateway to VPC
Figure 10-76: Step3-Attach Virtual Private Gateway to VPC

 

Step4-Attach Virtual Private Gateway to VPC
Figure 10-77: Step4-Attach Virtual Private Gateway to VPC

7- Create a Site-to-Site VPN connection as follows:

  • Name Tag: VPNAWS
  • Target gateway type: Virtual private gateway
  • Virtual Private Gateway: FortiGate
  • Customer Gateway ID: AWS-VPN-FG
  • Routing options: Static
  • Static IP prefixes: 192.168.10.0/24
  • Local IPv4 network CIDR: 192.168.10.0/24
  • Remote IPV4 network CIDR: 10.0.1.0/24
  • Tunnel 1 and Tunnel 2 options: leave it as default
Step1-Create a Site-To-Site VPN connection
Figure 10-78: Step 1-Create a Site-To-Site VPN connection

 

Step2-Create a Site-To-Site VPN connection with FortiGate
Figure 10-79: Step 2-Create a Site-To-Site VPN connection with FortiGate

 

Figure 10-80: Step 3-Create a Site-To-Site VPN connection with FortiGate

 

Step4-Create a Site-To-Site VPN connection with FortiGate
Figure 10-81: Step 4 -Create a Site-To-Site VPN connection with FortiGate

 

Step5-Download configuration
Figure 10-82: Step 5-Download configuration

 

Step6- Verify public IP address
Figure 10-83: Step 6- Verify public IP address

8- Open the file that you have downloaded on AWS. It will show phase 1 and phase 2 configuration.

 

Step7- IPSEC Phase 1
Figure 10-84: Step 7- IPSEC Phase 1

 

Step8-IPSEC Phase 2
Figure 10-85: Step 8-IPSEC Phase 2

FortiGate Configuration

1- First, we will configure port1 and port 2 IP addresses. port1 should be set as DHCP client and port2 should be set as 192.168.10.1/24.

Set an IP address for port2
Figure 10-86: Set an IP address for port2
Port1 and Port2 IP addresses
Figure 10-87: Port1 and Port2 IP addresses

2- Create a static route to port1(WAN Port) as Figure 10-88.

Create a static route
Figure 10-88: Create a static route

3- Create an IPSEC Wizard as a custom as follows:

  • Remote Gateway IP Address: Public_IP_Address_AWS_Virtual_Gateway
  • Nat Traversal : Disable
  • Pre-shared Key: The same as AWS key(psWvIznNXaD3e1bWB9mVrODkrYALmrBO)
  • Local Address: 192.168.10.0/24
  • Remote Address: 10.0.0.0/16
  • Phase 1: Encryption : AES128, Authentication: SHA-1, DH: 2, lifetime: 28800
  • Phase 2: Encryption : AES128, Authentication: SHA-1, DH: 2, lifetime: 3600
  • IKE: version 2
Step1- Create a custom VPN
Figure 10-89: Step1- Create a custom VPN
Create a custom VPN
Figure 10-90: Step 2- Create a custom VPN
Step 3- Create a custom VPN
Figure 10-91: Step 3- Create a custom VPN
Step 4- Create a custom VPN
Figure 10-92: Step 4- Create a custom VPN

4- Set an IP address for FG-AWS tunnel. We will set the IP address based on the configuration file.

Figure 10-93: Step 1- Configuration file for setting an IP address for FG-AWS tunnel
Step 2- Set an IP address for FG-AWS tunnel
Figure 10-94: Step 2- Set an IP address for FG-AWS tunnel

 

Step 3- Set an IP address for FG-AWS tunnel
Figure 10-95: Step 3- Set an IP address for FG-AWS tunnel

5- Create a static route from FG-LAN to AWS-LAN. We will set a static route based on the configuration file.

Create a static route from FG-LAN to AWS-LAN
Figure 10-96: Step 1- Configuration file for Creating a static route from FG-LAN to AWS-LAN
Step 2- Create static route from FG-LAN to AWS-LAN
Figure 10-97: Step 2- Create a static route from FG-LAN to AWS-LAN
Step 3- Create a static route from FG-LAN to AWS-LAN
Figure 10-98: Step 3- Create a static route from FG-LAN to AWS-LAN

6- Create a firewall policy from Port 2 to Tunnel and from Tunnel to Port2. We will create a subnet for LAN on premise and a subnet for AWS. Also, in site-to-site VPN, NAT should be disabled here.

Create a subnet for local network
Figure 10-99: Create a subnet for local network
Create a subnet for AWS local network
Figure 10-100: Create a subnet for AWS local network

 

Create a policy from port2 to FG-AWS Tunnel
Figure 10-101: Create a policy from port2 to FG-AWS Tunnel
Create a policy from FG-AWS Tunnel to port2
Figure 10-102: Create a policy from FG-AWS Tunnel to port2
Create a policy from AWS-FG Tunnel to port2
Figure 10-103: Create a policy from AWS-FG Tunnel to port2
Firewall Policies
Figure 10-104: Firewall Policies Overview

Verify connections

If you navigate to IPSEC Tunnel, the status should be up.

Verify tunnel status in FortiGate (on premise)
Figure 10-105: Verify tunnel status in FortiGate (on premise)
Verify tunnel status in AWS
Figure 10-106: Verify tunnel status in AWS

 

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall: Practical Guidance and Hands-On Labs by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book