Connecting a Fortinet VPN to Amazon AWS VPC
There is a lot of spotty information out there on the Internet on how to connect a Fortinet VPN router to an Amazon AWS VPC VPN, but a lot of it is confusing, wants you to use the GUI, is outdated, or simply doesn’t work that well. It took me a bit to get all of the pieces put together, but here’s the basic steps involved:
- Enable asymmetric routing – this allows packets to go out through one of the tunnels and come back through the other
- Create interface based VPN tunnels (phase1 and phase2)
- Configure the wan1 sub-interfaces automatically created in step 2
- Configure BGP
- Configure firewall rules
So here’s a generic configuration that does this. If you right click on the VPN gateway in the AWS Console and download the “Generic” configuration, you can easily change the values in this config.
Also, you need to make sure that the policy numbers I put in for the firewall configuration (policies 200-203) do not conflict with any existing policy numbers you have configured. If they do, just pick a different number; the number doesn’t matter. Note that these policies allow all traffic in and out of your internal network and the VPC. After you get it working, you’ll probably want to tighten those policies up quite a bit.
So without further ado:
config system settings
set asymroute enable
end
config vpn ipsec phase1-interface
edit "amazon1"
set interface "wan1"
set dpd enable
set dhgrp 2
set proposal aes128-sha1
set remote-gw <CHANGE: Tunnel #1 Outside Virtual Private Gateway>
set psksecret <CHANGE: Tunnel #1 Pre-Shared Key>
set dpd-retryinterval 10
next
edit "amazon2"
set interface "wan1"
set dpd enable
set dhgrp 2
set proposal aes128-sha1
set remote-gw <CHANGE: Tunnel #2 Outside Virtual Private Gateway>
set psksecret <CHANGE: Tunnel #2 Pre-Shared Key>
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "amazon1"
set dhgrp 2
set pfs enable
set phase1name "amazon1"
set proposal aes128-sha1
set replay enable
next
edit "amazon2"
set dhgrp 2
set pfs enable
set phase1name "amazon2"
set proposal aes128-sha1
set replay enable
next
end
config system interface
edit "amazon1"
set vdom "root"
set ip <CHANGE: Tunnel #1 Inside Customer Gateway> 255.255.255.255
set type tunnel
set remote-ip <CHANGE: Tunnel #1 Inside Virtual Private Gateway>
set interface "wan1"
next
edit "amazon2"
set vdom "root"
set ip <CHANGE: Tunnel #2 Inside Customer Gateway> 255.255.255.255
set type tunnel
set remote-ip <CHANGE: Tunnel #2 Inside Virtual Private Gateway>
set interface "wan1"
next
end
config router bgp
set as <CHANGE: BGP Customer Gateway ASN>
config neighbor
edit <CHANGE: Tunnel #1 Inside Virtual Private Gateway>
set remote-as <CHANGE: Tunnel #1 BGP Virtual Private Gateway ASN>
next
edit <CHANGE: Tunnel #2 Inside Virtual Private Gateway>
set remote-as <CHANGE: Tunnel #2 BGP Virtual Private Gateway ASN>
next
end
config network
edit 1
set prefix <CHANGE: Your Local Net> <CHANGE: Your Local netmask>
next
end
config redistribute "connected"
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
end
set router-id <CHANGE: Tunnel #1 Inside Virtual Private Gateway>
end
config firewall policy
edit 200
set srcintf "internal"
set dstintf "amazon1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 201
set srcintf "amazon1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 202
set srcintf "internal"
set dstintf "amazon2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 203
set srcintf "amazon2"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
end