Configure site-to-site VPN with local FortiGate to Azure VM

Configure the local FortiGate:

To configure the interfaces:

  • In FortiOS on the local FortiGate, go to Network > Interfaces.
  • Edit port5. Set the role to WAN and set an IP/Network Mask of 192.168.5.1/255.255.255.0. This is for the interface connected to the Internet.
  • Edit port4. Set the role to LAN and set an IP/Network Mask of 172.16.200.1/255.255.255.0. This is for the interface connected to the local subnet.

To configure a static route to connect to the Internet:

  • Go to Network > Static Routes.
  • Click Create New.
  • Set the Destination to 0.0.0.0/0.0.0.0.
  • For the Interface, select port5.
  • Set the Gateway Address to 192.168.9.254.

To configure IPsec VPN:

  • Go to VPN > IPsec Wizard.
  • Click Create New.
  • Enter the desired VPN name. In the example, this is "to_cloud".
  • For Template Type, select Site to Site.
  • For the Remote Device Type, select FortiGate.
  • For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local FortiGate has a public external IP address, you must choose No NAT between sites.
  • Click Next.
  • Configure Authentication:
  • For Remote Device, select IP Address.
  • Enter an IP address of 40.115.111.31, which is the Azure FortiGate's port1 public IP address.
  • For Outgoing Interface, select port5.
  • Set the Authentication Method to Pre-shared Key.
  • Enter a pre-shared key of 123456.
  • Click Next.
  • Configure Policy & Routing:
  • For Local Interface, select port4.
  • FortiOS automatically populates Local Subnets with 172.16.200.0/24.
  • Set the Remote Subnets to 10.58.1.0/24, which is the Azure FortiGate's port2 subnet.
  • For Internet Access, select None.
  • Click Create.

Configuring the Azure FortiGate:

To configure the interface:

  • In FortiOS on the Azure FortiGate, go to Network > Interfaces.
  • Edit port2. Set the role to LAN and set an IP/Network Mask of 10.58.1.4/255.255.255.0. This is for the interface connected to the Azure local subnet.

To configure IPsec VPN:

  • Go to VPN > IPsec Wizard.
  • Configure VPN Setup:
  • Enter the desired VPN name. In the example, this is "to_local".
  • For Template Type, select Site to Site.
  • For the Remote Device Type, select FortiGate.
  • For NAT Configuration, select This site is behind NAT. For non dial-up situations where your local FortiGate has a public external IP address, you must choose No NAT between sites.
  • Click Next.
  • Configure Authentication:
  • For Incoming Interface, select port1.
  • Set the Authentication Method to Pre-shared Key.
  • Enter a pre-shared key of 123456.
  • Click Next.
  • Configure Policy & Routing:
  • For Local Interface, select port2.
  • FortiOS automatically populates Local Subnets with 10.58.1.0/24.
  • Set the Remote Subnets to 172.16.200.0/24, which is the local FortiGate's port4 subnet.
  • For Internet Access, select None.
  • Click Create.

To bring up the VPN tunnel on the local FortiGate:
The tunnel is down until you initiate connection from the local FortiGate.

  • In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor.
  • Click the to_cloud tunnel.
  • Click Bring Up to bring up the VPN tunnel.


Connecting a local FortiGate to an AWS VPC VPN

To create a VPG:

  • A VPG is the VPN concentrator on the Amazon side of the site-to-site VPN connection. You can create a VPG and attach it to the VPC from which you want to create the site-to-site VPN connection.
  • In the AWS management console, go to Virtual Private Gateways, then click Create Virtual Private Gateway.
  • In the Name tag field, enter the desired gateway name.
  • For static route configuration, the ASN is not important, as the ASN is for BGP routing. By default, the VPG is created with the default ASN, 64512. You cannot change the ASN once the VPG has been created.
  • After creating the VPG, select it from the list of VPGs, and click Actions > Attach to VPC.
  • On the Attach to VPC page, select the ID for the desired VPC from the VPC dropdown list.

To create a customer gateway:

  • Go to Customer Gateways, then click Create Customer Gateway.
  • In the Name field, enter the desired gateway name.
  • For Routing, select Static.
  • In the IP Address field, enter the on-premise FortiGate's external address.

To create a site-to-site VPN connection on AWS:

  • Internet Key Exchange version 2 (IKEv2)
  • NAT traversal
  • Four-byte ASN (in addition to two-byte ASN)
  • Reusable IP addresses for customer gateways
  • Additional encryption options including AES 256-bit encryption, SHA-2 hashing, and additional Diffie-Hellman groups
  • Configurable tunnel options
  • Custom private ASN for the Amazon side of a BGP session
  • This example describes creating an IPsec site-to-site VPN.
  • Go to VPN Connections, then click Create VPN Connection.
  • In the Name tag field, enter the desired VPN connection name.
  • From the Virtual Private Gateway dropdown list, select the VPG ID for the VPG created earlier.
  • For Routing Options, select Static.
  • In the IP Prefixes field, enter the CIDR of the networks behind your on-premise FortiGate.
  • Leave the tunnel options blank. You will obtain this information from a configuration file download.

To configure the on-premise FortiGate:

  • After creating the VPN, select it in the VPN list, then click Download Configuration. This document contains information needed to configure the FortiGate correctly.
  • You can configure the FortiGate using this downloaded configuration file. Run the diagnose vpn tunnel up examplephase2 command if the tunnel is not up automatically already.
  • Check in the FortiOS GUI in VPN > IPsec Tunnels that the tunnel is up.
  • In the AWS management console, check that the tunnel is up.
  • After the tunnel is up, you must edit a custom route table and security group rules to achieve connectivity between a resource behind the FortiGate to a resource on the AWS cloud.
  • On AWS, there are two tunnels for each created VPN. This example only shows connecting to one tunnel, but you can create the second tunnel in FortiOS as well. The second tunnel is for redundancy. If one tunnel goes down, the FortiGate can reach AWS resources using the other tunnel.
    Configuring site-to-site VPN be

Configuring site-to-site VPN between GCP and FortiGate

  • On the remote site 1 FortiGate, go to VPN > IPsec Tunnels, then click Create New.
  • On the VPN Setup tab, configure the following:
  • For Template type, select Site to Site.
  • For NAT configuration, select No NAT between sites.
  • Click Next.
  • On the Authentication tab, configure the following:
  • In the Remote IP address field, enter the destination FortiGate public IP address. This is the spoke1 public IP address.
  • Configure a signature ore pre-shared key to secure the tunnel.
  • Click Next.
  • On the Policy & Routing tab, configure the local and remote subnets. Note that here, the local subnet refers to the remote site subnet, and the remote subnet refers to the NCC external and internal VPC subnets. Click Next.
  • Review the configuration, then click Create.
  • Create a similar connection from the Region 1 spoke FortiGate to the remote site 1 FortiGate. When creating this connection, on the Policy & Routing tab, ensure that you add port1 and port2 as local interfaces when creating the tunnel interface.
Copyrights © 24 November 2024 All Rights Reserved by Vast Edge Inc.