DEV Community

mobisoftinfotech
mobisoftinfotech

Posted on

AWS Site-to-Site VPN Setup with FortiGate Firewall: A Complete Guide

#awsfortigatevpn #fortigatefirewallsetupaws #secureawsconnectionvpn #fortigateawsintegration

Image description
In today’s technology-driven world, connecting your office network securely to cloud resources is essential. AWS Site-to-Site VPN makes this easy by creating encrypted connections, ensuring your data stays safe while traveling between your systems and Amazon’s Virtual Private Cloud (VPC). AWS Site-to-Site VPN enables secure connections between your on-premises network and AWS Virtual Private Cloud (VPC), allowing secure communication between local networks and AWS resources using IPsec tunnels for secure data transmission.

In this guide, we will learn the configuration of a site-to-site VPN connection from a local FortiGate firewall setup AWS to an AWS VPC via IPsec with static routing. Instances that you launch into an AWS VPC can communicate with your own remote network via a site-to-site VPN between your on-premise FortiGate and AWS VPC VPN. You can enable access to your remote network from your VPC by configuring a virtual private gateway (VPG) and customer gateway to the VPC, then configuring the site-to-site VPC VPN.

The Need for Secure AWS Connections

AWS Site-to-Site VPN enables secure, encrypted links between on-premises environments and the AWS cloud. It’s an indispensable tool for organizations expanding their data centers, enhancing disaster recovery setups, or exploring hybrid cloud architectures.
AWS network security FortiGate offers comprehensive protection and flexibility in hybrid cloud environments.

Key Features:

  • Data Security: All traffic is encrypted, ensuring sensitive information is protected.
  • Flexibility: Supports FortiGate AWS integration with various AWS services.
  • Scalability: Ideal for growing cloud footprints and multi-region architectures.

Image description

Step-by-Step Implementation

1. Configure Your On-Premises Setup

FortiGate Firewall:

  • Configure Port 1 as a DHCP Client for external connectivity and management.
  • Assign a static IP 192.168.X.X/24 to Port 2 for internal network traffic.
  • Enable essential services (HTTP, HTTPS, PING) for diagnostics and monitoring.

Web Terminal Setup:

  • Set the terminal’s IP to 192.168.X.X/24 and connect it to the firewall’s internal interface.

2. Set Up AWS Components

a. VPC Creation

  • Open the AWS Console and create a VPC:
  • Name: AWS-VPC
  • CIDR Range: 10.0.0.0/16

b. Define Subnets

  • Add a Private Subnet (10.0.1.0/24) for internal resources.
  • Add a Public Subnet (10.0.2.0/24) for external-facing services.
  • Attach both subnets to the VPC.

c. Attach Internet Gateway

  • Create an Internet Gateway and attach it to your VPC.
  • Update the public subnet’s route table with a default route pointing to the gateway.

3. Configure Customer and Virtual Private Gateways

a. Create a Customer Gateway

  • Provide your on-premises public IP address.
  • Ensure it is tagged appropriately for easy identification.

b. Create a Virtual Private Gateway

  • Attach the Virtual Private Gateway to the AWS VPC.
  • Update the route tables to include routes pointing to the Virtual Private Gateway for private subnet traffic.

4. Establish Site-to-Site VPN Connection

Link the Customer Gateway and Virtual Private Gateway.
Configure the IPSec tunnel using the AWS-provided configuration file.
Download the configuration file for use in setting up the FortiGate firewall with AWS.

Image description

5. Configure VPN on FortiGate

a. Phase 1 Settings:

  • Select the VPN Name
  • Go to the FortiGate dashboard and navigate to the IPSec VPN section.
  • Choose the appropriate VPN connection from the list or create a new one.
  • Provide a descriptive name for the VPN to identify it easily.
  • Set a Remote IP Address
  • Enter the remote gateway IP address provided by AWS.
  • This should match the public IP of the AWS Virtual Private Gateway.
  • Set Policy and Routing
  • Define a policy to control traffic flow:
  • Source: Local LAN (e.g., 192.168.X.X/24).
  • Destination: AWS subnet (e.g., 10.40.0.0/16).
  • Action: Allow.
  • Configure the routing table to direct traffic to the VPN tunnel interface.
  • Add any additional static routes as required by your network design.

b. Phase 1 Settings:

  • Specify the remote AWS Gateway IP.
  • Use a pre-shared key for mutual authentication.
  • Set encryption details:
  • Algorithm: AES-128
  • Authentication Protocol: SHA-1
  • Key Exchange Group: 2
  • Key Lifecycle(seconds): 28800

c. Phase 2 Settings:

  • Define the VPN subnet ranges.
  • Enable Perfect Forward Secrecy for additional protection.
  • Match settings to AWS requirements for smooth FortiGate AWS integration.

Image description

6. On-Premise FortiGate Configuration

VPC Tunnel Configuration:

  • Configure the tunnel with your IP: X.X.X.X/255.255.X.X.
  • Steps:
  • Select the VPN name.
  • Set a remote IP address.
  • Configure policy and routing.
  • Set a static IP and interface:
  • Enter the pre-shared key.
  • Add encryption and authentication settings, ensuring Diffie-Hellman group number 2 is selected.
  • Go to Phase 2 and select the subnet as specified in the AWS documentation.
  • Add static routes based on AWS documentation.
  • Configure firewall policies:
  • Interface: fg_lan 192.168.X.X/24 for incoming traffic from the internal network.
  • Set the outgoing interface to the VPN tunnel.
  • For AWS LAN (10.40.0.0/16):
  • Set incoming traffic from the VPN tunnel.
  • Configure outgoing traffic to the internal network. ### 7. Finalize and Validate

FortiClient VPN Setup:

  • Access the FortiClient VPN URL (Replace with your IP and PORT): https://X.X.X.X:PORT/remote/login?lang=en.
  • Configure the connection:
  • Connection Name: [Provide your connection name].
  • Description: [Add a brief description].
  • Remote Gateway (Replace with your IP): X.X.X.X (provided by AWS).
  • Authentication Method: Pre-shared key.
  • EAP Method: Prompt on login.
  • Failover SSL VPN: None.
  • Save the settings.

Testing:

  • Select the VPN connection and enter your credentials:
  • Username: [Your username].
  • Password: [Your password].
  • Ping the private EC2 instance to validate connectivity.

Conclusion

Configuring an AWS Site-to-Site VPN with a FortiGate firewall not only combines the scalability and flexibility of the AWS cloud with the advanced security features of Fortinet but also establishes a foundation for a robust hybrid cloud architecture. By following this guide, you’ll enable a secure, reliable, and efficient bridge between your on-premises network and AWS VPC, ensuring uninterrupted operations and enhanced data protection.
Image description

Source Link: AWS Site-to-Site VPN Setup with FortiGate Firewall: A Complete Guide

profile
Hostinger
 Promoted

Hostinger image

Get n8n VPS hosting 3x cheaper than a cloud solution

Get fast, easy, secure n8n VPS hosting from $4.99/mo at Hostinger. Automate any workflow using a pre-installed n8n application and no-code customization.

Start now

Top comments (0)

profile
Neon
 Promoted

Billboard image

Create up to 10 Postgres Databases on Neon's free plan.

If you're starting a new project, Neon has got your databases covered. No credit cards. No trials. No getting in your way.

Try Neon for Free →

Read next

xtirian profile image

A quick introduction about Web Development

Matheus Fernandes -

hotfixhero profile image

Mindfulness and Coding: Techniques to Enhance Focus and Reduce Stress

HotfixHero -

theplebdev profile image

Basic hit detection in C++ for Android Game devs

Tristan Elliott -

bendirtdev profile image

Setting the correct database connection on production with Render

Ben Purinton -

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay