Chapter 10- Cloud Technologies

10-6 Site-to-Site VPN between FortiGate on premise and FortiGate in the AWS

Learning Objectives

  • Configure a VPN Wizard in AWS
  • Configure site-to-site VPN between FortiGate on premise and AWS
  • Identify FortiGate subnets in AWS
Site to Site VPN between FortiGate on premise and FortiGate in the AWS
Figure 10-154: main scenario
Scenario: In this lab, we are going to create a site-to-site VPN from FortiGate on-premise to FortiGate in the AWS. Knowing the configuration of section 10-5 is necessary for this lab. Port1 FortiGate on premise is set as a DHCP, so it will receive an IP address from Cloud.

On-Premise FortiGate Configuration

Table 10-6: Devices configuration
Device Interface IP address
FortiGate Port 1 DHCP Client
Port 2 192.168.10.1/24
WebTerm Eth0 192.168.10.2/24

1- Configure the interfaces of the firewall. Port2 by default is an internal interface and named “LAN” and Port1 is an external interface and named “WAN”.

Firewall Interfaces
Figure 10-155: Firewall Interfaces

2- Create a site-to-site VPN from IPSEC Wizard as Figures 10-156 to 10-158.

Step1- Select VPN Name
Figure 10-156: Step1- Select VPN Name
Step2- Set remote IP Address
Figure 10-157: Step2- Set remote IP Address
Step3- Set Policy & Routing
Figure 10-158: Step3- Set Policy & Routing

3- Create a static route to the default gateway.

Set a default gateway
Figure 10-159: Set a default gateway

 AWS Configuration

1- Create a FortiGate firewall in AWS and configure the interfaces. You need to do all steps in the previous section(Section 10-5).

2- Create a VPN from IPSEC Wizard as Figures 10-160 to 10-162.

Step1- Select VPN Name
Figure 10-160: Step1- Select VPN Name
Figure 10-161: Step2-Set a remote IP address

 

Step3-Set Policy & Routing
Figure 10-162: Step3-Set Policy & Routing

3- Create static routes on FortiGate. We are going to create two static routes as follows:

Set a default gateway via 10.0.0.1
Figure 10-163: Set a default gateway via 10.0.0.1

 

Create a static route to 10.0.0.0/16 network via 10.0.1.1
Figure 10-164: Create a static route to 10.0.0.0/16 network via 10.0.1.1
Figure 10-165: Overview of static routes on FortiGate

4-Go to VPN> IPSEC Tunnels and check status of the tunnel.

Check status of tunnel on AWS
Figure 10-166: Check the status of the tunnel on AWS

 

Figure 10-167: Check status of tunnel on FortiGate on-premise

5- You should be able to ping from WebTerm to Virtual Machine on AWS and vice versa.

Ping from webterm to Windows VM
Figure 10-168: Ping from webterm to Windows VM

 

Ping from Windows VM to webterm
Figure 10-169: Ping from Windows VM to webterm

 

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall: Practical Guidance and Hands-On Labs by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book