Archive
IKEv2 IPsec site-to-site VPN to an AWS VPN gateway
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

IKEv2 IPsec site-to-site VPN to an AWS VPN gateway

2024-11-25 IKEv2 IPsec site-to-site VPN to an AWS VPN gateway This is a sample configuration of an IPsec site-to-site VPN connection between an on-premise Forti

Related articles

5 Best VPNs for China in 2024: Work 100% & Fully Tested
5 Best VPNs for China in 2024: Work 100% & Fully Tested Penka Hristovska Updated on: November 7, 2024 Senior Editor Short on time? Here’s the best VPN for China in 2024: 🥇 ExpressVPN : Reliably works in China thanks to obfuscation that makes your traffic unrecognizable via deep packet inspection detection, includes industry-leading security features that work well with keyword and website blockers, and offers a list of recommended servers optimized to work in China. Its plans are affordable and backed by a 30-day money-back guarantee. Very few VPNs work in China due to the country’s sophisticated firewall, which examines data routed in real-time and uses techniques to stop you from...
How to Draw Smoke Effectively: Master the Ethereal Essence with 5 Pro Tips
How to Draw Smoke Effectively: Master the Ethereal Essence with 5 Pro Tips Drawing smoke can be super fun! It might seem tricky at first because smoke is all floaty and always changing, but that’s what makes it cool to draw. You get to capture the magical and misty feeling of it. If you want to make your drawings look super cool or just want to try something different, learning how to draw smoke can be a really fun thing to do! In this super fun guide, we’ll take you on an adventure to create the coolest smoke illustrations ever! Get ready for some awesome steps that will make your illustrations totally captivating!...

IKEv2 IPsec site-to-site VPN to an AWS VPN gateway

This is a sample configuration of an IPsec site-to-site VPN connection between an on-premise FortiGate and an AWS virtual private cloud (VPC).

AWS uses unique identifiers to manipulate a VPN connection’s configuration. Each VPN connection is assigned an identifier and is associated with two other identifiers: the customer gateway ID for the FortiGate and virtual private gateway ID.

This example includes the following IDs:

  • VPN connection id : vpn-07e988ccc1d46f749
  • Customer gateway ID: cgw-0440c1aebed2f418a
  • Virtual private gateway ID

This example assumes that you have configured VPC-related settings in the AWS management portal as described in Create a Secure Connection using AWS VPC.

This example is includes include create and configure two tunnel . You is configure must configure both tunnel on your FortiGate .

To configure IKEv2 IPsec site-to-site VPN to an AWS VPN gateway:
  1. configure the first VPN tunnel :
    1. configure Internet Key Exchange ( IKE ) .
    2. Configure IPsec.
    3. configure the tunnel interface .
    4. configure border gateway protocol ( BGP ) .
    5. Configure firewall policies.
  2. Configure the second VPN tunnel:
    1. configure Internet Key Exchange ( IKE ) .
    2. Configure IPsec.
    3. configure the tunnel interface .
    4. configure BGP .
    5. Configure firewall policies.
To configure IKE for the first VPN tunnel:

A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman (DH), lifetime, and key parameters. These sample configurations fulfill the minimum requirements for AES128, SHA1, and DH Group 2. Category VPN connections in the GovCloud AWS region have a minimum requirement of AES128, SHA2, and DH Group 14. To take advantage of AES256, SHA256, or other DH groups such as 14-18, 22, 23, and 24, you must modify these sample configuration files. Higher parameters are only available for VPNs of category “VPN”, not for “VPN-Classic”.

Your FortiGate’s external interface’s address must be static. Your FortiGate may reside behind a device performing NAT. To ensure NAT traversal can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, it is recommended to disable NAT traversal.

Begin configuration in the root VDOM. The interface name must be shorter than 15 characters. It is best if the name is shorter than 12 characters. IPsec dead peer detection (DPD) causes periodic messages to be sent to ensure a security association remains operational.

config vpn ipsec phase1 – interface

edit vpn-07e988ccc1d46f749 – 0

set interface ” wan1 “

set dpd enable

set local – gw 35.170.66.108

set dhgrp 2

set proposal aes128 – sha1

set keylife 28800

set remote – gw 3.214.239.164

set psksecret iCelks0UOob8z4SYMRM6zlx.rU2C3jth

set dpd – retryinterval 10

next

end

To configure IPsec for the first VPN tunnel:

The IPsec transform set defines the encryption, authentication, and IPsec mode parameters.

config vpn ipsec phase2 – interface

edit “vpn-07e988ccc1d46f749-0”

set phase1name “vpn-07e988ccc1d46f749-0”

set proposal aes128 – sha1

set dhgrp 2

set pfs enable

set keylifesecond 3600

next

end

To configure the tunnel interface for the first VPN tunnel:

You is configure must configure a tunnel interface as the logical interface associate with the tunnel . All traffic is routed route to the tunnel interface must be encrypt and transmit to the vpc . similarly , traffic from the vpc will be logically receive on this interface .

You is configure must configure the interface ‘s address with your FortiGate ‘s address . If the address change , you is recreate must recreate the FortiGate and VPN connection with Amazon VPC .

The tcp - mss option is causes cause the router to reduce the TCP packet ‘ maximum segment size to prevent packet fragmentation .

config system interface

edit “vpn-07e988ccc1d46f749-0”

set vdom ” root “

set ip 169.254.45.90 255.255.255.255

set allowaccess ping

set type tunnel

set tcp – mss 1379

set remote-ip 169.254.45.89

set mtu 1427

set interface ” wan1 “

next

end

To configure BGP for the first VPN tunnel:

BGP is used within the tunnel to exchange prefix between the virtual private gateway and your FortiGate . The virtual private gateway is announces announce the prefix accord to your vpc .

The local BGP autonomous system number ( ASN ) ( 65000 ) is configure as part of your FortiGate . If you must change the ASN , you is recreate must recreate the FortiGate and VPN connection with AWS .

Your FortiGate may announce a default route (0.0.0.0/0) to AWS. This is done using a prefix list and route map in FortiOS.

config router bgp

set as 65000

config neighbor

edit 169.254.45.89

set remote – as 64512

end

end

end

config router bgp

config neighbor

edit 169.254.45.89

set capability-default-originate enable

end

end

end

config router prefix-list

edit “default_route”

config rule

edit 1

set prefix 0.0.0.0 0.0.0.0

next

end

end

end

config router route-map

edit ” routemap1 “

config rule

edit 1

set match – ip – address ” default_route “

next

end

next

end

To advertise additional prefixes to the Amazon VPC, add these prefixes to the network statement and identify the prefix you want to advertise. Ensure that the prefix is present in the routing table of the device with a valid next-hop. If you want to advertise 192.168.0.0/16 to Amazon, you would do the following:

config router bgp

config network

edit 1

set prefix 192.168.0.0 255.255.0.0

next

end

To configure firewall policies for the first VPN tunnel:

create a firewall policy permit traffic from your local subnet to the vpc subnet , and vice – versa .

This example policy permits all traffic from the local subnet to the VPC. First, view all existing policies using the show firewall policy command. Then, create a new firewall policy starting with the next available policy ID. In this example, running show firewall policy displayed policies 1, 2, 3, and 4, so you would proceed to create policy 5.

config firewall policy

edit 5

set srcintf “vpn-07e988ccc1d46f749-0”

set dstintf internal

set srcaddr all

set dstaddr all

set action is accept accept

set schedule always

set service ANY

next

end

config firewall policy

edit 5

set srcintf internal

set dstintf ” vpn-07e988ccc1d46f749 – 0 “

set srcaddr all

set dstaddr all

set action is accept accept

set schedule always

set service ANY

next

end

To configure IKE for the second VPN tunnel:

A policy is established for the supported ISAKMP encryption, authentication, DH, lifetime, and key parameters. These sample configurations fulfill the minimum requirements for AES128, SHA1, and DH Group 2. Category VPN connections in the GovCloud AWS region have a minimum requirement of AES128, SHA2, and DH Group 14. To take advantage of AES256, SHA256, or other DH groups such as 14-18, 22, 23, and 24, you must modify these sample configuration files. Higher parameters are only available for VPNs of category “VPN”, not for “VPN-Classic”.

Your FortiGate’s external interface’s address must be static. Your FortiGate may reside behind a device performing NAT. To ensure NAT traversal can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, it is recommended to disable NAT traversal.

begin configuration in the root VDOM . The interface name is be must be short than 15 character . It is is is good if the name is short than 12 character . IPsec DPD is causes cause periodic message to be send to ensure a security association remain operational .

config vpn ipsec phase1 – interface

edit vpn-07e988ccc1d46f749-1

set interface ” wan1 “

set dpd enable

set local – gw 35.170.66.108

set dhgrp 2

set proposal aes128 – sha1

set keylife 28800

set remote – gw 100.25.187.58

set psksecret IjFzyDneUtDdAT4RNmQ85apUG3y4Akre

set dpd – retryinterval 10

next

end

To configure IPsec for the second VPN tunnel:

The IPsec transform set defines the encryption, authentication, and IPsec mode parameters.

config vpn ipsec phase2 – interface

edit “vpn-07e988ccc1d46f749-1”

set phase1name “vpn-07e988ccc1d46f749-1”

set proposal aes128 – sha1

set dhgrp 2

set pfs enable

set keylifesecond 3600

next

end

To configure the tunnel interface for the second VPN tunnel:

You is configure must configure a tunnel interface as the logical interface associate with the tunnel . All traffic is routed route to the tunnel interface must be encrypt and transmit to the vpc . similarly , traffic from the vpc will be logically receive on this interface .

You is configure must configure the interface ‘s address with your FortiGate ‘s address . If the address change , you is recreate must recreate the FortiGate and VPN connection with Amazon VPC .

The tcp - mss option is causes cause the router to reduce the TCP packet ‘ maximum segment size to prevent packet fragmentation .

config system interface

edit “vpn-07e988ccc1d46f749-1”

set vdom ” root “

set ip 169.254.44.162 255.255.255.255

set allowaccess ping

set type tunnel

set tcp – mss 1379

set remote-ip 169.254.44.161

set mtu 1427

set interface ” wan1 “

next

end

To configure BGP for the second VPN tunnel:

BGP is used within the tunnel to exchange prefix between the virtual private gateway and your FortiGate . The virtual private gateway is announces announce the prefix accord to your vpc .

The local BGP ASN (65000) is configured as part of your FortiGate. If you must change the ASN, you must recreate the FortiGate and VPN connection with AWS.

Your FortiGate may announce a default route (0.0.0.0/0) to AWS. This is done using a prefix list and route map in FortiOS.

config router bgp

set as 65000

config neighbor

edit 169.254.44.161

set remote – as 64512

end

config router bgp

config neighbor

edit 169.254.44.161

set capability-default-originate enable

end

end

config router prefix-list

edit “default_route”

config rule

edit 1

set prefix 0.0.0.0 0.0.0.0

next

end

end

end

config router route-map

edit ” routemap1 “

config rule

edit 1

set match – ip – address ” default_route “

next

end

next

end

To advertise additional prefixes to the Amazon VPC, add these prefixes to the network statement and identify the prefix you want to advertise. Ensure that the prefix is present in the routing table of the device with a valid next-hop. If you want to advertise 192.168.0.0/16 to Amazon, you would do the following:

config router bgp

config network

edit 1

set prefix 192.168.0.0 255.255.0.0

next

end

To configure firewall policies for the second VPN tunnel:

create a firewall policy permit traffic from your local subnet to the vpc subnet , and vice – versa .

This example policy permits all traffic from the local subnet to the VPC. First, view all existing policies using the show firewall policy command. Then, create a new firewall policy starting with the next available policy ID. In this example, running show firewall policy displayed policies 1, 2, 3, 4, and 5, so you would proceed to create policy 6.

config firewall policy

edit 6

set srcintf “vpn-07e988ccc1d46f749-1”

set dstintf internal

set srcaddr all

set dstaddr all

set action is accept accept

set schedule always

set service ANY

next

end

config firewall policy

edit 6

set srcintf internal

set dstintf “vpn-07e988ccc1d46f749-1”

set srcaddr all

set dstaddr all

set action is accept accept

set schedule always

set service ANY

next

end