Archive

Archive for May, 2012

Connecting a Fortinet VPN to Amazon AWS VPC

May 5th, 2012

There is a lot of spotty information out there on the Internet on how to connect a Fortinet VPN router to an Amazon AWS VPC VPN, but a lot of it is confusing, wants you to use the GUI, is outdated, or simply doesn’t work that well. It took me a bit to get all of the pieces put together, but here’s the basic steps involved:

  1. Enable asymmetric routing – this allows packets to go out through one of the tunnels and come back through the other
  2. Create interface based VPN tunnels (phase1 and phase2)
  3. Configure the wan1 sub-interfaces automatically created in step 2
  4. Configure BGP
  5. Configure firewall rules

So here’s a generic configuration that does this. If you right click on the VPN gateway in the AWS Console and download the “Generic” configuration, you can easily change the values in this config.

Also, you need to make sure that the policy numbers I put in for the firewall configuration (policies 200-203) do not conflict with any existing policy numbers you have configured. If they do, just pick a different number; the number doesn’t matter. Note that these policies allow all traffic in and out of your internal network and the VPC. After you get it working, you’ll probably want to tighten those policies up quite a bit.

So without further ado:

config system settings
    set asymroute enable
end

config vpn ipsec phase1-interface
    edit "amazon1"
        set interface "wan1"
        set dpd enable
        set dhgrp 2
        set proposal aes128-sha1
        set remote-gw <CHANGE: Tunnel #1 Outside Virtual Private Gateway>
        set psksecret <CHANGE: Tunnel #1 Pre-Shared Key>
        set dpd-retryinterval 10
    next
    edit "amazon2"
        set interface "wan1"
        set dpd enable
        set dhgrp 2
        set proposal aes128-sha1
        set remote-gw <CHANGE: Tunnel #2 Outside Virtual Private Gateway>
        set psksecret <CHANGE: Tunnel #2 Pre-Shared Key>
        set dpd-retryinterval 10
    next
end

config vpn ipsec phase2-interface
    edit "amazon1"
        set dhgrp 2
        set pfs enable
        set phase1name "amazon1"
        set proposal aes128-sha1
        set replay enable
    next
    edit "amazon2"
        set dhgrp 2
        set pfs enable
        set phase1name "amazon2"
        set proposal aes128-sha1
        set replay enable
    next
end

config system interface
    edit "amazon1"
        set vdom "root"
        set ip <CHANGE: Tunnel #1 Inside Customer Gateway> 255.255.255.255
        set type tunnel
        set remote-ip <CHANGE: Tunnel #1 Inside Virtual Private Gateway>
        set interface "wan1"
    next
    edit "amazon2"
        set vdom "root"
        set ip <CHANGE: Tunnel #2 Inside Customer Gateway> 255.255.255.255
        set type tunnel
        set remote-ip <CHANGE: Tunnel #2 Inside Virtual Private Gateway>
        set interface "wan1"
    next
end

config router bgp
    set as <CHANGE: BGP Customer Gateway ASN>
        config neighbor
            edit <CHANGE: Tunnel #1 Inside Virtual Private Gateway>
                set remote-as <CHANGE: Tunnel #1 BGP Virtual Private Gateway ASN>
            next
            edit <CHANGE: Tunnel #2 Inside Virtual Private Gateway>
                set remote-as <CHANGE: Tunnel #2 BGP Virtual Private Gateway ASN>
            next
        end
        config network
            edit 1
                set prefix <CHANGE: Your Local Net> <CHANGE: Your Local netmask>
            next
        end
        config redistribute "connected"
        end
        config redistribute "rip"
        end
        config redistribute "ospf"
        end
        config redistribute "static"
        end
    set router-id <CHANGE: Tunnel #1 Inside Virtual Private Gateway>
end

config firewall policy
    edit 200
        set srcintf "internal"
        set dstintf "amazon1"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 201
        set srcintf "amazon1"
        set dstintf "internal"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 202
        set srcintf "internal"
        set dstintf "amazon2"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 203
        set srcintf "amazon2"
        set dstintf "internal"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
end

General