Chapter 10. Cloud Technologies
- Configure a Customer Gateway in AWS
- Configure a Virtual Private Gateway
- Create an IPsec VPN between FortiGate on-Premise and AWS
|FortiGate||Port 1: DHCP Client
Port 2: 192.168.10.1/24
|Port1: HTTP, HTTPS, PING
- Create a VPC for AWS as follows:
- Name tag: AWS Subnet
- IPv4 CIDR: 10.0.0.0/16
- Create a private subnet under AWS VPC as follows:
- VPC: AWS Subnet
- Subnet Name: Private
- IPv4 CIDR block: 10.0.1.0/24
- Create an internet gateway as follows:
- Create a static route to the internet gateway (AWS-IGW). Edit Routes as follows:
- Create a customer gateway as follows:
- Create a virtual private gateway as follows:
- Create a Site-to-Site VPN connection as follows:
- Name Tag: VPNAWS
- Target gateway type: Virtual private gateway
- Virtual Private Gateway: FortiGate
- Customer Gateway ID: AWS-VPN-FG
- Routing options: Static
- Static IP prefixes: 192.168.10.0/24
- Local IPv4 network CIDR: 192.168.10.0/24
- Remote IPV4 network CIDR: 10.0.1.0/24
- Tunnel 1 and Tunnel 2 options: leave it as default
- Open the file that you have downloaded on AWS. It will show phase 1 and phase 2 configuration.
- First, we will configure port1 and port2 IP addresses. port1 should be set as DHCP client and port2 should be set as 192.168.10.1/24.
- Create a static route to port1 (WAN Port) as Figure 10.88.
- Create an IPsec Wizard as a custom as follows:
- Remote Gateway IP Address: Public_IP_Address_AWS_Virtual_Gateway
- Nat Traversal: Disable
- Pre-shared Key: The same as AWS key(psWvIznNXaD3e1bWB9mVrODkrYALmrBO)
- Local Address: 192.168.10.0/24
- Remote Address: 10.0.0.0/16
- Phase 1: Encryption: AES128, Authentication: SHA-1, DH: 2, lifetime: 28800
- Phase 2: Encryption: AES128, Authentication: SHA-1, DH: 2, lifetime: 3600
- IKE: version 2
- Set an IP address for FG-AWS tunnel. We will set the IP address based on the configuration file.
- Create a static route from FG-LAN to AWS-LAN. We will set a static route based on the configuration file.
- Create a firewall policy from Port2 to Tunnel and from Tunnel to Port2. We will create a subnet for LAN on premise and a subnet for AWS. Also, in site-to-site VPN, NAT should be disabled here.
If you navigate to IPsec Tunnel, the status should be up.