Connecting a Fortinet VPN to Amazon AWS VPC
There is a lot of spotty information out there on the Internet on how to connect a Fortinet VPN router to an Amazon AWS VPC VPN, but a lot of it is confusing, wants you to use the GUI, is outdated, or simply doesn’t work that well. It took me a bit to get all of the pieces put together, but here’s the basic steps involved:
- Enable asymmetric routing – this allows packets to go out through one of the tunnels and come back through the other
- Create interface based VPN tunnels (phase1 and phase2)
- Configure the wan1 sub-interfaces automatically created in step 2
- Configure BGP
- Configure firewall rules
So here’s a generic configuration that does this. If you right click on the VPN gateway in the AWS Console and download the “Generic” configuration, you can easily change the values in this config.
Also, you need to make sure that the policy numbers I put in for the firewall configuration (policies 200-203) do not conflict with any existing policy numbers you have configured. If they do, just pick a different number; the number doesn’t matter. Note that these policies allow all traffic in and out of your internal network and the VPC. After you get it working, you’ll probably want to tighten those policies up quite a bit.
So without further ado:
config system settings
set asymroute enable
end
config vpn ipsec phase1-interface
edit "amazon1"
set interface "wan1"
set dpd enable
set dhgrp 2
set proposal aes128-sha1
set remote-gw <CHANGE: Tunnel #1 Outside Virtual Private Gateway>
set psksecret <CHANGE: Tunnel #1 Pre-Shared Key>
set dpd-retryinterval 10
next
edit "amazon2"
set interface "wan1"
set dpd enable
set dhgrp 2
set proposal aes128-sha1
set remote-gw <CHANGE: Tunnel #2 Outside Virtual Private Gateway>
set psksecret <CHANGE: Tunnel #2 Pre-Shared Key>
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "amazon1"
set dhgrp 2
set pfs enable
set phase1name "amazon1"
set proposal aes128-sha1
set replay enable
next
edit "amazon2"
set dhgrp 2
set pfs enable
set phase1name "amazon2"
set proposal aes128-sha1
set replay enable
next
end
config system interface
edit "amazon1"
set vdom "root"
set ip <CHANGE: Tunnel #1 Inside Customer Gateway> 255.255.255.255
set type tunnel
set remote-ip <CHANGE: Tunnel #1 Inside Virtual Private Gateway>
set interface "wan1"
next
edit "amazon2"
set vdom "root"
set ip <CHANGE: Tunnel #2 Inside Customer Gateway> 255.255.255.255
set type tunnel
set remote-ip <CHANGE: Tunnel #2 Inside Virtual Private Gateway>
set interface "wan1"
next
end
config router bgp
set as <CHANGE: BGP Customer Gateway ASN>
config neighbor
edit <CHANGE: Tunnel #1 Inside Virtual Private Gateway>
set remote-as <CHANGE: Tunnel #1 BGP Virtual Private Gateway ASN>
next
edit <CHANGE: Tunnel #2 Inside Virtual Private Gateway>
set remote-as <CHANGE: Tunnel #2 BGP Virtual Private Gateway ASN>
next
end
config network
edit 1
set prefix <CHANGE: Your Local Net> <CHANGE: Your Local netmask>
next
end
config redistribute "connected"
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
end
set router-id <CHANGE: Tunnel #1 Inside Virtual Private Gateway>
end
config firewall policy
edit 200
set srcintf "internal"
set dstintf "amazon1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 201
set srcintf "amazon1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 202
set srcintf "internal"
set dstintf "amazon2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 203
set srcintf "amazon2"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
end
Thanks, mate.
Got IPSecs to Amazon up, BGP routes populated on Fortigate, using the same setup as yours.
Cannot get traffic through.
Strangely enough, traffic from Amazon to localnet appears in firewall reject log, although I clearly defined broad accept rules.
What could it be? Reboot required?
Ah, fixed.
The key was to unset IPSec phase2 selectors. (Set them to nothing)
Thank you very much again
Thanks for the post, had the VPN’s set up et all without issues. Worked fine if I put one of the 2 IPSec interfaces down but occasionally had issues due to assymetric routing.
Don’t quite get that tho’, because opposed to what you did here I put the 2 IPSec interfaces in 1 zone, which allows me to just create 2 firewall rules (internal -> AmazonZONE & AmazonZONE -> internal).
Was hoping the zoning of the interfaces would have made it clear they’re the same zone and thus routing, but apparently doesn’t work that way. Does ease the firewall configuration tho’
.
Would suggest these changes thus (might contain typos):
conf sys zone
edit “AmazonVPC”
set interface “amazon1″ “amazon2″
next
end
and then just make firewall rules from srcintf “AmazonVPC” to internal and vice versa. You’ll have less room for error, in the current setup one interface might allow (or disallow) traffic where the other does not (if working with more firewall rules obviously
).
Hi,
thank you for sharing your configuration, I just spent 2 days connecting my Fortinet to my VPC and your article was very helpful.
There’s just 2 points I’d like to debate with you :
- I did not enable asymmetric routing as it is not recommanded in the documentation because “Fortinet will become a stateless firewall”. I asked help to Amazon for setting up my VPN and in the discussion, the guy told me : “We strongly recommend that you have both tunnels up as we will at times take one tunnel down for maintenance. It is only guaranteed that one of your tunnels will be up so it’s important to have this redundancy”. So in my opinion there are 2 tunnels for high-availability and not for load-balancing, I don’t think packets will go to one path and come back from another.
- in the BGP configuration you used the first Inside Virtual Private Gateway address, why ? Why not the second one ? And why not the Customer Gateway address ? I’m quite not sure about what to fill, anyway I just wanted to tell you that I put my Outside IP Addresses Customer Gateway and it is working.
Herve
@Hervé Werner
Without asymmetric routing, you’ll need to modify the BGP neighbor weight. The Fortinet broadcasts the same weight for both neighbors, which means AWS is going to randomly pick a tunnel. You can try:
config router bgp
config neighbor
edit [Neighbor IP for Tunnel #1]
set weight [some integer value]
But I couldn’t find any docs on what that weight value means or even if that is the appropriate value to modify.
The BGP neighbor weight will work but it seems that you have to set the weights to match what the AWS VPN wants to use as the primary route.
I had set the weights but still had problems and noticed that from customer side a trace route used the route set by fortigate bgp weight but on the AWS side the other route was always used. As a test I set the foritgate to enable asymetric routing and the problems cleared.
When the fortigate bgp neighbor weights were reversed connectivity became stable.