How to configure IPsec VPN between AWS and Fortinet Firewall

1. The purpose of the article

In this article techbast will show you how to configure IPSec VPN Site to site between the Fortinet Firewall device and AWS.

2. Diagram

Details:

Fortinet Firewall:

  • The internet connection is connected at wan1 of the Fortinet Firewall device with IP 115.78.x.x.
  • The LAN network of the Fortinet Firewall device is configured at Port 2 with IP 10.10.8.0/23 and has DHCP configured to allocate to devices connected to it.

AWS:

  • AWS has a WAN IP of 3.137.101.133.
  • In the LAN, there is a Linux server with IP 172.31.42.255/20.

3. Scenario

Based on the above diagram, we will configure IPSec VPN Site to site between Fortinet Firewall and AWS so that both LANs of the two parties can communicate with each other.

4. What to do

AWS:

  • Create AWS Customer Gateway.
  • Create Virtual Private Gateway.
  • Create Site-to-site VPN connection.
  • Create route.
  • Download the VPN configuration file and collect the necessary information.

Fortinet Firewall:

  • Create profile for Local and Remote subnet.
  • Create VPN tunnels.
  • Create Static Routes.
  • Create Policy.

Result.

5. Configuration.

5.1. AWS.

5.1.1. Create AWS Customer Gateway

Sign in to the AWS Portal site with an administrative account.

Click Services and select VPC.

Select your VPC at Filter by VPC, this is the VPC you will use to configure IPSec VPN.

Go to VIRTUAL PRIVATE NETWORK (VPN) > Customer Gateways > Click Create Customer Gateway.

Create Customer Gateways with the following parameters:

  • Name: Fortinet Firewall.
  • Routing: Static.
  • IP Address: Enter Fortinet’s WAN IP 115.78.x.x.
  • Click Create Customer Gateway.

5.1.2. Create Virtual Private Gateway

Go to VIRTUAL PRIVATE NETWORK > Virtual Private Gateways > Click Create Virtual Private Gateway.

Create a Virtual Private Gateway with the following parameters:

  • Name tag: VPG-FortinetComunity.
  • ASN: Amazon default ASN.
  • Click Create Virtual Private Gateway.

Next we will add the newly created Virtual Private Gateways to the VPC.

To Add select the newly created Virtual Private Gateways > click Action > Attach to VPC.

Select the VPC that we filtered at the Customer Gateways creation step and click Yes, Attach to complete.

Virtual Private Network has been successfully added to VPC.

5.1.3. Create Site-to-site VPN Connection.

To create VIRTUAL PRIVATE NETWORK (VPN) > Site-to-Site VPN Connection > click Create VPN Connection.

Create with the following information:

  • Name tag: S2S-AWS-to-Fortinet.
  • Target Gateway Type: select Virtual Private Gateway.
  • Virtual Private Gateway *: Select the Virtual Private Gateways you just created in the previous step.
  • Customer Gateway: chọn Existing.
  • Customer Gateway ID *: select the Customer Gateway just created in the above step.
  • Routing Option: Static.
  • Static IP Prefixes: enter Fortinet’s LAN subnet is 10.10.8.0/23.
  • Local IPv4 Network Cidr: nhập 10.10.8.0/23.
  • Remote IPv4 Network Cidr: enter AWS local subnet as 172.31.32.0/20.
  • Click Create VPN Connection.

5.1.4. Create route

We need to create a static route to route the AWS subnet through the Virtual Gateway.

To create in VIRTUAL PRIVATE CLOUD > Route Tables > check the existing route tables > go to Route tab > click Edit Route > click Add route.

Add with the following parameters:

  • Destination: 10.10.8.0/23.
  • Target: select the newly created Virtual Gateway.
  • Click Save changes.

5.1.5. Download the VPN configuration file and collect the necessary information.

After creating VPN Connection, we will select the newly created VPN Connection and click Download Configuration.

Select the following information to download the configuration file:

  • Vendor: Generic.
  • Platform: Generic.
  • Software: Vendor Agnostic.
  • Ike Version: ikev2.

We open the configuration file we just downloaded, we will have the following information.

Phase 1 and Phase 2 of the IPSec connection.

Phase 1:

Phase 2:

Information about AWS and Fortinet WAN IPs.

  • IP WAN AWS: 3.137.101.133.
  • IP WAN Fortinet: 115.78.x.x.

5.2.Fortinet Firewall

5.2.1.Create profiles for Local and Remote subnet

We will create profiles for Local and Remote subnet.

To create, go to Policy & Objects > Addresses > click Create New > Address.

Create a profile for the Remote subnet with the following parameters:

  • Name: LAN_Fortinet.
  • Type: Subnet.
  • IP/Netmask: 10.10.8.0/23.
  • Interface: any.
  • Click OK.

Similar to the above steps, we will create a profile for AWS subnet according to the following parameters:

  • Name: LAN_AWS.
  • Type: Subnet.
  • IP/Netmask: 172.31.32.0/20.
  • Interface: any.

Click OK.

5.3.2.Create VPN Tunnels

To create VPN Tunnels go to VPN > IPSec Tunnels > click Create New.

The VPN Create Wizard table appears and fills in the following configuration information:

  • Name: VPN_FG_to_AWS
  • Template type: select Custom
  • Click Next.

We will configure the Network table with the following parameters:

  • IP Version: IPv4
  • Remote Gateway: Static IP Address
  • IP Address: enter AWS WAN IP as 3.137.101.133.
  • Interface: Select the WAN port of the Fortinet device used to establish the VPN connection. Select wan1 port.
  • Local Gateway: disable
  • Mode Config: uncheck
  • NAT Traversal: Disable
  • Dead Peer Detection: Disable

Authentication tab:

  • Method: select Pre-sahred Key
  • Pre-shared Key: enter the password to establish the VPN connection (the preshared-key information is saved in Phase 1 of the VPN configuration file downloaded from AWS).
  • IKE Version: 2

Phrase 1 Proposal Table: Enter the phase1 information in the configuration file downloaded from AWS.

  • Encryption: AES128
  • Authentication: SHA1
  • Diffe-Hellman Group: select 2
  • Key Liftime (second): 28800

Phrase 2 Selectors table:

  • Local Address: Select Subnet and fill in Fortinet’s 10.10.8.0/23 LAN subnet.
  • Remote Address: Select Subnet and fill in AWS’s 172.31.32.0/20 LAN subnet.

New Phase 2 table:

  • Encryption: AES128
  • Authentication: SHA1
  • Enable Perfect Forward Secrecy: check and select Group 2.
  • Key Lifetime: select Seconds
  • Second: 3600

Click OK

5.3.3.Create Static Routes

We need to create a static route to route the route to the AWS LAN subnet through the VPN connection we just created for the Fortinet firewall appliance.

To create, go to Network > Static Routes and click Create New.

Configure according to the following parameters:

  • Destination: enter AWS LAN subnet as 172.31.32.0/20.
  • Interface: select the newly created IPSec tunnels VPN_FG_2_AWS.
  • Status: select Enable.
  • Click OK.

5.3.4.Create Policy

We need to create a policy so that the VPN connection can access Fortinet’s LAN and vice versa.

To create a policy go to Policy & Objects > IPv4 Policy and click Create New.

Configure the policy to allow traffic from the Fortinet LAN subnet to pass through the AWS LAN subnet according to the following parameters:

  • Name: LAN_TO_AWS
  • Incoming Interface: select VLAN 2(VLAN2).
  • Outgoing Interface: select VPN Tunnels VPN_FG_2_AWS just created
  • Source: Select profile LAN_Fortinet
  • Destination: Select profile LAN_AWS
  • Service: Select ALL
  • Action: Select ACCEPT
  • Log Allowed Traffic: enable and select All Session
  • Enable this policy: ON
  • Click OK

Configure the policy to allow traffic from the AWS LAN subnet to pass through the Fortinet LAN subnet according to the following parameters:

  • Name: AWS_TO_LAN
  • Incoming Interface: Select VPN Tunnels VPN_FG_2_AWS just created
  • Outgoing Interface: Select VLAN 2(VLAN2)
  • Source: Select profile LAN_AWS
  • Destination: Select LAN_Fortinet
  • Service: Select ALL
  • Action: Select ACCEPT
  • Log Allowed Traffic: enable and select All Session
  • Enable this policy: ON
  • Click OK

5.4.Result.

On the Fortinet device to check if the tunnel is running, go to VPN > IPsec Tunnels > click on the name of the newly created tunnel.

As shown, you can see the tunnel is UP.

On AWS to check the tunnel status go to VPC > VIRTUAL PRIVATE NETWORK (VPN) > Site-to-Site VPN Connections > select the newly created tunnel > click on Tunnel Details tab.

As you can see, tunnels with WAN IP of 3.137.101.133 have been UP.

Techbast will use the Linux server at AWS to ping the LAN port of the Fortinet firewall to check if the VPN connection is working.

The result is a successful ping to Fortinet’s LAN port.

5 Comments

    • I would point out something about this skript tho.
      The aggregate redundant connection limited the speed of tunnel greatly.
      After we removed second Phase2 and made it to regular ipsec tunnel, the data speed increased greatly ( aggregate maxed out @ ~80mbit/s )

      # ipsec-aggregate redundant
      config system ipsec-aggregate
      edit TUNNEL_NAME
      set member AWS_TUNNEL_NAME_1 AWS_TUNNEL_NAME_2
      set algorithm redundant
      end

  1. I have been searching for months for this exact procedure and nothing has worked. Your process was the first one that worked for me!! THANK YOU SO MUCH for posting this!!!

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.