Aviatrix Gateway to FortiGate

Overview

This document describes how to configure an IPsec tunnel between an Aviatrix Gateway and a FortiGate firewall using Aviatrix Site2Cloud. This task is divided into two parts:

  1. Configure a Site2Cloud tunnel in Aviatrix Controller
  2. Configure VPN tunnel and related components in the FortiGate Firewall

Aviatrix Configuration

Add a Site2Cloud tunnel in the Aviatrix Controller

Follow the steps in this guide.

Tip

Download the configuration to aid in the creation of the tunnel in FortiGate. The configuration can be downloaded from the Aviatrix Controller UI > Site2Cloud > Select the connection created earlier> Download Configuration. Select Generic for Vendor and Platform and Vendor independent for Software.

imagedownloadconfiguration

FortiGate Configuration

The configuration and screenshots below make the following three assumptions:

  • There are 2 interfaces on the FortiGate:

    • Interface port1 is an externally facing interface.
    • Interface port2 is an internally facing interface.
  • You have a subnet in AWS, Azure, or GCP in a VPC (or VNet/Project, respectively) that has an Aviatrix Gateway. This subnet is defined as 10.0.0.0/16 for the examples below but it can be any valid CIDR range.

    Note

    In the examples below we refer to this range as AWS_Cloud.

  • You have a subnet behind your FortiGate firewall that will be accessible in the cloud. This subnet is defined as 172.16.0.0/20 in the examples below but it can be any valid CIDR range.

    Note

    In the examples below we refer to this range as Shared_With_AWS

Configure Named Address Ranges in FortiGate

Access the FortiGate Dashboard, then: under Policy & Objects > Addresses, create two new addresses:

AWS_Cloud

imageawscloudconfig

Shared_With_AWS

imagesharedwithawsconfig

Create an IPsec tunnel on FortiGate

  1. Log in to the FortiGate and access the Dashboard.

  2. In the VPN menu, select IPsec Wizard.

  3. Change the Template Type to Custom.

  4. Enter any value as the Name. For this example we are using “ToAviatrixGW”

  5. Click Next >.

  6. Fill out the Network fields as recommended below:

    VPN Setup

    Field Expected Value
    Name Any Value
    Template Type Custom

    imagevpnwizard

    Network

    Field Expected Value
    IP Version IPv4
    Remote Gateway Static IP Address
    IP Address Public IP address of Aviatrix Gateway
    Interface Select the Appropriate Port/Interface
    Local Gateway Disabled
    Mode Config Unchecked
    NAT Traversal Enable
    Keepalive Frequency Any value
    Dead Peer Detection On Demand
    Forward Error Correction Unchecked
    Advanced Options Disabled

    imagenetworkconfig

    Authentication

    Field Expected Value
    Method Pre-shared Key
    Pre-shared Key Enter the value from the downloaded configuration or the value typed in to the field in Aviatrix Site2Cloud
    IKE Version 1
    IKE Mode Main (ID protection)

    imageauthentication

    Phase 1 Proposal

    Important

    The following values from the Aviatrix Site2Cloud configuration are needed below:

    1. In the Aviatrix Controller, select the Site2Cloud configuration created earlier
    2. Click imageThreeLines next to Connect Detail

    imageconnectiondetails

    Field Expected Value
    Encryption Match value specified in Aviatrix S2C configuration (Phase 1 Encryption)
    Authentication Match value specified in Aviatrix S2C configuration (Phase 1 Authentication)
    Diffie-Hellman Group Match value specified in Aviatrix S2C configuration (Phase 1 DH Groups)
    Key Lifetime (seconds) 28800
    Local ID Leave Blank

    imagephase1proposal

    XAUTH

    Field Expected Value
    Type Disabled

    imagexauth

    Phase 2 Selectors

    New Phase 2

    Field Expected Value
    Name Any String Value
    Comments Any String Value
    Local Address Named Address - Shared_With_AWS
    Remote Address Named Address - AWS_Cloud

    imagephase2selector

    Advanced

    Important

    The following values from the Aviatrix Site2Cloud configuration are needed below:

    1. In the Aviatrix Controller, select the Site2Cloud configuration created earlier.
    2. Click imageThreeLines next to Connection Detail.

    imageconnectiondetails2

    imagephase2advanced

  7. Click OK

Configure IPv4 Policy

In Policy & Objects, select IPv4 Policy. Create two new IPv4 policies:

  • Outbound traffic from FortiGate (Shared_With_AWS) to Aviatrix (AWS_Cloud)

    imageip4outboundpolicy

  • Inbound traffic from Aviatrix (AWS_Cloud) to FortiGate (Shared_With_AWS)

    imageip4inboundpolicy

Note

The reference to port2 in the screenshots should be replaced with your own interface name that represents the internal facing interface.

Note

Be sure to select accept for action and select all for service!

Add a Static Route

From the FortiGate UI: Network > Static Routes, add a new static route for traffic destined to AWS_Cloud to use the VPN tunnel.

imagestaticroute

Note

If Named Address is disabled, be sure that you enabled Static Route Configuration on the Address configuration.

imageaddressstaticconfig

Bring Up IPSec Monitor

From the FortiGate UI: In Monitor > IPSec Monitor, select the Aviatrix tunnel and click Bring Up.

Test

Once complete, test the communication using the tunnel.

Troubleshooting

Error Message

failed to get valid proposal

no suitable proposal found

Solution

Check that the Phase 1 authentication, encryption, and Diffie-Hellman groups match on both sides.

If you are experiencing low IPsec throughput, you may want to configure two commands on the Fortigate.

config system global
set ipsec-asic-offload disable
end

configure system global
set ipsec-hmac-offload disable
end