Home > General > Connecting a Fortinet VPN to Amazon AWS VPC

Connecting a Fortinet VPN to Amazon AWS VPC

There is a lot of spotty information out there on the Internet on how to connect a Fortinet VPN router to an Amazon AWS VPC VPN, but a lot of it is confusing, wants you to use the GUI, is outdated, or simply doesn’t work that well. It took me a bit to get all of the pieces put together, but here’s the basic steps involved:

  1. Enable asymmetric routing – this allows packets to go out through one of the tunnels and come back through the other
  2. Create interface based VPN tunnels (phase1 and phase2)
  3. Configure the wan1 sub-interfaces automatically created in step 2
  4. Configure BGP
  5. Configure firewall rules

So here’s a generic configuration that does this. If you right click on the VPN gateway in the AWS Console and download the “Generic” configuration, you can easily change the values in this config.

Also, you need to make sure that the policy numbers I put in for the firewall configuration (policies 200-203) do not conflict with any existing policy numbers you have configured. If they do, just pick a different number; the number doesn’t matter. Note that these policies allow all traffic in and out of your internal network and the VPC. After you get it working, you’ll probably want to tighten those policies up quite a bit.

So without further ado:

config system settings
    set asymroute enable
end

config vpn ipsec phase1-interface
    edit "amazon1"
        set interface "wan1"
        set dpd enable
        set dhgrp 2
        set proposal aes128-sha1
        set remote-gw <CHANGE: Tunnel #1 Outside Virtual Private Gateway>
        set psksecret <CHANGE: Tunnel #1 Pre-Shared Key>
        set dpd-retryinterval 10
    next
    edit "amazon2"
        set interface "wan1"
        set dpd enable
        set dhgrp 2
        set proposal aes128-sha1
        set remote-gw <CHANGE: Tunnel #2 Outside Virtual Private Gateway>
        set psksecret <CHANGE: Tunnel #2 Pre-Shared Key>
        set dpd-retryinterval 10
    next
end

config vpn ipsec phase2-interface
    edit "amazon1"
        set dhgrp 2
        set pfs enable
        set phase1name "amazon1"
        set proposal aes128-sha1
        set replay enable
    next
    edit "amazon2"
        set dhgrp 2
        set pfs enable
        set phase1name "amazon2"
        set proposal aes128-sha1
        set replay enable
    next
end

config system interface
    edit "amazon1"
        set vdom "root"
        set ip <CHANGE: Tunnel #1 Inside Customer Gateway> 255.255.255.255
        set type tunnel
        set remote-ip <CHANGE: Tunnel #1 Inside Virtual Private Gateway>
        set interface "wan1"
    next
    edit "amazon2"
        set vdom "root"
        set ip <CHANGE: Tunnel #2 Inside Customer Gateway> 255.255.255.255
        set type tunnel
        set remote-ip <CHANGE: Tunnel #2 Inside Virtual Private Gateway>
        set interface "wan1"
    next
end

config router bgp
    set as <CHANGE: BGP Customer Gateway ASN>
        config neighbor
            edit <CHANGE: Tunnel #1 Inside Virtual Private Gateway>
                set remote-as <CHANGE: Tunnel #1 BGP Virtual Private Gateway ASN>
            next
            edit <CHANGE: Tunnel #2 Inside Virtual Private Gateway>
                set remote-as <CHANGE: Tunnel #2 BGP Virtual Private Gateway ASN>
            next
        end
        config network
            edit 1
                set prefix <CHANGE: Your Local Net> <CHANGE: Your Local netmask>
            next
        end
        config redistribute "connected"
        end
        config redistribute "rip"
        end
        config redistribute "ospf"
        end
        config redistribute "static"
        end
    set router-id <CHANGE: Tunnel #1 Inside Virtual Private Gateway>
end

config firewall policy
    edit 200
        set srcintf "internal"
        set dstintf "amazon1"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 201
        set srcintf "amazon1"
        set dstintf "internal"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 202
        set srcintf "internal"
        set dstintf "amazon2"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 203
        set srcintf "amazon2"
        set dstintf "internal"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
end

General

  1. Roman
    June 7th, 2012 at 20:56 | #1

    Thanks, mate.
    Got IPSecs to Amazon up, BGP routes populated on Fortigate, using the same setup as yours.

    Cannot get traffic through.
    Strangely enough, traffic from Amazon to localnet appears in firewall reject log, although I clearly defined broad accept rules.
    What could it be? Reboot required?

  2. Roman
    June 8th, 2012 at 00:00 | #2

    Ah, fixed.
    The key was to unset IPSec phase2 selectors. (Set them to nothing)

    Thank you very much again

  3. Freaky
    June 13th, 2012 at 04:33 | #3

    Thanks for the post, had the VPN’s set up et all without issues. Worked fine if I put one of the 2 IPSec interfaces down but occasionally had issues due to assymetric routing.

    Don’t quite get that tho’, because opposed to what you did here I put the 2 IPSec interfaces in 1 zone, which allows me to just create 2 firewall rules (internal -> AmazonZONE & AmazonZONE -> internal).

    Was hoping the zoning of the interfaces would have made it clear they’re the same zone and thus routing, but apparently doesn’t work that way. Does ease the firewall configuration tho’ :).

    Would suggest these changes thus (might contain typos):

    conf sys zone
    edit “AmazonVPC”
    set interface “amazon1″ “amazon2″
    next
    end

    and then just make firewall rules from srcintf “AmazonVPC” to internal and vice versa. You’ll have less room for error, in the current setup one interface might allow (or disallow) traffic where the other does not (if working with more firewall rules obviously :)).

  4. June 21st, 2012 at 11:25 | #4

    Hi,

    thank you for sharing your configuration, I just spent 2 days connecting my Fortinet to my VPC and your article was very helpful.

    There’s just 2 points I’d like to debate with you :

    - I did not enable asymmetric routing as it is not recommanded in the documentation because “Fortinet will become a stateless firewall”. I asked help to Amazon for setting up my VPN and in the discussion, the guy told me : “We strongly recommend that you have both tunnels up as we will at times take one tunnel down for maintenance. It is only guaranteed that one of your tunnels will be up so it’s important to have this redundancy”. So in my opinion there are 2 tunnels for high-availability and not for load-balancing, I don’t think packets will go to one path and come back from another.

    - in the BGP configuration you used the first Inside Virtual Private Gateway address, why ? Why not the second one ? And why not the Customer Gateway address ? I’m quite not sure about what to fill, anyway I just wanted to tell you that I put my Outside IP Addresses Customer Gateway and it is working.

    Herve

  5. June 21st, 2012 at 14:27 | #5

    @Hervé Werner
    Without asymmetric routing, you’ll need to modify the BGP neighbor weight. The Fortinet broadcasts the same weight for both neighbors, which means AWS is going to randomly pick a tunnel. You can try:

    config router bgp
    config neighbor
    edit [Neighbor IP for Tunnel #1]
    set weight [some integer value]

    But I couldn’t find any docs on what that weight value means or even if that is the appropriate value to modify.

  6. UncleJim
    August 3rd, 2012 at 07:09 | #6

    The BGP neighbor weight will work but it seems that you have to set the weights to match what the AWS VPN wants to use as the primary route.

    I had set the weights but still had problems and noticed that from customer side a trace route used the route set by fortigate bgp weight but on the AWS side the other route was always used. As a test I set the foritgate to enable asymetric routing and the problems cleared.

    When the fortigate bgp neighbor weights were reversed connectivity became stable.

  1. No trackbacks yet.