DescriptionThis article describes the steps to configure the ipsec site to site vpn between a FortiGate and AWS.SolutionGo to VPN -> IPsec Tunnel
Click on 'Create new' and enter a Name for the tunnel.
Select 'Custom', and click 'Next'.
Set the Remote Gateway to Static IP Address, and include the gateway IP Address provided by AWS.
Set the Local Interface to Fortigate WAN interface.
Enable NAT traversal. (! NAT Traversal is enabled by default but if the FortiGate device is not behind a NAT/PAT device, please deselect NAT Traversal.)
Set Dead Peer Detection to 'on demand'.
Under Authentication, enter a Pre-shared Keyand ensure that KEv1 is enabled and Mode as Main.
Under Phase 1 Proposalset the Encryptionalgorithm combinations to the following: Encryption: aes128 and Authentication: sha1
DH group: 2
Keylife: 28800
Scroll down to Phase 2 Selectors and enter the respective local and remote subnet.
Expand the Advanced section.Set the Encryption: 'AES128' and Authentication: 'SHA1'
Select 'Enable Replay Detection'
Select 'Enable Perfect Forward Secrecy'
Enable 'Autokey Keep Alive' and click 'ok'.
Set the Diffie-Hellman Group: '2' and Key lifetime: 'Seconds' and Seconds: '3600'
Creating the firewall object :
Go to Policy & Objects -> Addresses and create a firewall object for the VPN tunnel local and remote subnets
Creating the FortiGate firewall policies:
Go to Policy & Objects -> IPv4 Policy and create a new policy for the site-to-site connection that allows outgoing traffic and incoming traffic.
Outgoing traffic policy:
Source interface : the lan interface, destination interface : vpn tunnel, Source Address as local subnet object and Destination Address as remote subnet object .
Select the services which needs to be allowed, Schedule: always and set the action to accept. Ensure that NAT is disabled.
Incoming traffic policy:
Source interface : vpn tunnel, destination interface : the lan interface, Source Address : remote subnet object and Destination Address as local subnet object.
Select the services which needs to be allowed and set the action to accept. Ensure that NAT is disabled.
Set MTU and MSS on the tunnel by performing this from the CLI:
#config system interface
edit <vpn interface name>
set mtu 1427
set tcp-mss 1379
next
end
To create the route :
Go to Network -> Static Route
Click on 'Create New'
1) Destination IP/Mask: remote subnet
2) Device: vpn-interface
3) Select Ok