AWS VPN Setup Using Fortinet FortiGate Firewall-VM64

FortiGate Next-Generation Firewall technology delivers complete content and network protection by combining stateful inspection with a comprehensive suite of powerful security features. Application control, antivirus, IPS, Web filtering and VPN along with advanced features such as an extreme threat database, vulnerability management and flow-based inspection work in concert to identify and mitigate the latest complex security threats. To know more about FortiGate Next-Generation Firewall click here.

This blog helps you to configure a VPN set-up with AWS VPC’s/On-premises Data Center (DC) by using FortiGate Next-Generation Firewall in the AWS Transit VPC.

To know more about the launching of the FortiGate Next-Generation Firewall in AWS EC2 instance click here.

To access the FortiGate Firewall, Use Public IP of the AWS EC2 instance and access through a web browser.
For example —

Before starting, Make sure that you had configured AWS Managed VPN in the AWS VPC’s and Downloaded the Configuration file. Using the AWS Managed VPN set-up configuration file follow the below steps:
(To know more about AWS Managed VPN set-up click here)
VPN → IPsec Tunnels → Create New

Figure — 1

Next, Click on Custom and the give a tunnel name. Then click on “Next”

Figure — 2

After that, Select Remote Gateway as Static IP Address and the IP address will be the end router IP of the AWS, which is mention in the downloaded configuration file of the AWS Managed VPN set-up.
Next, Select Interface as port1. By default, there will is only a single interface.
Enable the “Local Gateway” and select “Primary IP”

Figure — 3

Next, go down to Authentication. Copy the Pre-shared Key from the AWS Managed VPN configuration file and paste it here.

Figure — 4

As per the AWS Managed VPN configuration files, configure the Encryption, Diffie-Helmans Groups, and Key Lifetime in Phase 1 Proposal and Phase 2 Proposal.

Figure — 5

Phase 2 Proposal,

After Successful VPN Creation, A virtual tunnel interface is created in Network → Interfaces.

Go to the tunnel interface, and configure the IP address of the tunnel as mentioned in AWS Managed VPN Configuration file.
Then, select the Administrative Access that you required.

Next, Configure the Routing Protocol. In this blog, BGP routing protocol has been used.
To configure Routing Protocol, go to Network → BGP
As per the AWS Managed VPN Configuration file, enter the values of the AS number and the Router ID. And also using the same configuration file, create neighbors with remote AS number.
In Networks, Mention the local (Private) Networks with IP address and Mask

To configure Redistribution, Go to Network → BGP → Expand Advanced Options as shown in the figure below (Optional).

To set-up MTU, MSS, and default routes you need configure through CLI. For that go to CLI terminal as shown in below figure.

Figure —
Note: Take the values and IP Address as per the AWS Managed VPN downloaded configuration file.

Set MTU and MSS on the tunnel:

# config global
# config system interface
# edit “forte-spoke-a” → change tunnel name here
# set mtu 1427 
# set tcp-mss 1379
# next
# end

The Customer Gateway may announce a default route ( to us, for that:

# config router bgp
# config neighbor
 # edit
 # set capability-default-originate enable
 # end
 # end
# config router prefix-list
 # edit “default_route”
 # config rule
 # edit 1
 # set prefix
 # next
 # end
 # set router-id
# end
# config router route-map
 # edit “routemap1”
 # config rule
 # edit 1
 # set match-ip-address “default_route”
 # next
 # end
 # next
# end

Next, you need to create policies to allow/deny the traffic. 
Policy & Objects → IPv4 Policy → Create New

Set a policy for incoming traffic from port1 and outgoing traffic through the VPN tunnel. Allow all the services from any source to any destination. Also, enable the Security Profiles.

Note: You can also restrict the services from here.

Create another policy for incoming traffic from the VPN tunnel interface to outgoing traffic through the port1 interface. Also, enable the security profiles.

To bring it UP the tunnel interface, go to Monitor → IPsec Monitor → Select the tunnel → Bring UP

After a few minutes, check the routes from Monitor → Routing Monitor.

Also, check in the AWS VPC Console.
AWS VPC Console → VPN Connection → Select the VPN tunnel → Tunnel Details

Also, follow the same steps to set-up the tunnel with On-premises DC with the help of On-premises DC Router configuration.


Using the above steps, we are able to create a Transit