Aviatrix Gateway to FortiGate

This document describes how to configure an IPsec tunnel between an Aviatrix Gateway and a FortiGate firewall using Aviatrix Site2Cloud. This task is divided into two parts:

  1. Configure a Site2Cloud tunnel in Aviatrix CoPilot.

  2. Configure a VPN tunnel and related components in the FortiGate Firewall.

Setting up External (S2C) Connection

  1. In Aviatrix CoPilot, launch an Aviatrix Transit Gateway.

  2. Navigate to Networking > Connectivity > External Connections (S2C) and click Add New to create a Site2Cloud connection using the values for one of the below options (for either you can select either PSK or certificate-based authentication).

  3. After the connection is created, select the vertical ellipsis 25 menu for that connection and select Download Configuration.

  4. Select Generic from the Vendor dropdown list and click the Download to download the external (S2C) configuration. Use this configuration file to configure the tunnels and interfaces in your Fortinet FortiGate firewall.

FortiGate Configuration

The configuration and screenshots below make the following three assumptions:

  • There are two interfaces on the FortiGate:

    • Interface port1 is an externally facing interface.

    • Interface port2 is an internally facing interface.

  • You have a subnet in AWS, Azure, or GCP in a VPC/VNet that has an Aviatrix Gateway. This subnet is defined as "10.0.0.0/16" for the examples below but it can be any valid CIDR range.

    In the examples below this range is referred to as AWS_Cloud.

  • You have a subnet behind your FortiGate firewall that will be accessible in the cloud. This subnet is defined as "172.16.0.0/20" in the examples below but it can be any valid CIDR range.

    In the examples below, this range is referred to as Shared_With_AWS.

Configuring Named Address Ranges in FortiGate

Access the FortiGate Dashboard. Under Policy & Objects > Addresses, create two new addresses: AWS_Cloud and Shared_With_AWS.

AWS_Cloud

Field Expected Value

Name

AWS_Cloud

Type

Subnet

Subnet / IP Range

CIDR matching the range specified in tunnel configuration (remote to FortiGate)

Interface

Any

Show in Address List

Enabled

Static Route Configuration

Enabled
imageawscloudconfig

Shared_With_AWS

Field Expected Value

Name

Shared_With_AWS

Type

Subnet

Subnet / IP Range

CIDR matching the range specified in tunnel configuration (local to FortiGate)

Interface

Any

Show in Address List

Enabled

Static Route Configuration

Enabled
:haredwithawsconfig

Creating an IPsec Tunnel on FortiGate

  1. Log in to the FortiGate and access the Dashboard.

  2. In the VPN menu, select IPsec Wizard.

  3. Change the Template Type to "Custom."

  4. Enter any value as the Name. For this example, we are using "aviatrix-gatew."

  5. Click Next >.

  6. Fill out the Network fields as recommended below:

Field

Expected Value

Name

aviatrix-gatew (for example)

Template Type

Custom
600

New VPN Tunnel Tab

Complete the Network fields on the New VPN Tunnel tab as follows:

Network section of New VPN Tunnel Tab

Field Expected Value

IP Version

IPv4

Remote Gateway

Static IP Address

IP Address

Public IP address of Aviatrix Gateway

Interface

Select the Appropriate Port/Interface

Local Gateway

Disabled

Mode Config

Unmark this checkbox

NAT Traversal

Enable

Keepalive Frequency

Any value

Dead Peer Detection

On Demand

Forward Error Correction

Unmark this checkbox

Advanced Options

Disabled
400

Authentication section of New VPN Tunnel Tab

Field Expected Value

Method

Pre-shared Key

Pre-shared Key

Enter the value from the downloaded configuration or the value typed in to the field in Aviatrix Site2Cloud

IKE Version

1

IKE Mode

Main (ID protection)
400

Phase 1 Proposal section of New VPN Tunnel Tab

Field Expected Value

Encryption

Match value specified in Aviatrix S2C configuration (Phase 1 Encryption)

Authentication

Match value specified in Aviatrix S2C configuration (Phase 1 Authentication)

Diffie-Hellman Group

Match value specified in Aviatrix S2C configuration (Phase 1 DH Groups)

Key Lifetime (seconds)

28800

Local ID

Leave Blank
400

XAUTH section of New VPN Tunnel Tab

Field Expected Value

Type

Disabled
500

Phase 2 Selectors > New Phase 2 seciton of New VPN Tunnel Tab

Field Expected Value

Name

Any String Value

Comments

Any String Value

Local Address

Named Address - Shared_With_AWS

Remote Address

Named Address - AWS_Cloud
500

Advanced section of New VPN Tunnel Tab

Obtain the values from the downloaded configuration file.
Field Expected Value

Encryption

Match value specified in Aviatrix S2C configuration (Phase 2 Encryption)

Authentication

Match value specified in Aviatrix S2C configuration (Phase 2 Authentication)

Diffie-Hellman Group

Match value specified in Aviatrix S2C configuration (Phase 2 DH Groups)

Key Lifetime (seconds)

3600
400

  1. Click OK.

  2. Navigate to Network > Interfaces.

  3. Click on the Tunnel created above (e.g. aviatrix-gatew) and assign the IP address from the downloaded configuration file.

    fortigate14

Configure IPv4 Policy

  1. Go to Policy & Objects > IPv4 DoS Policy.

  2. Create two new IPv4 policies:

    • Outbound traffic from FortiGate (Shared_With_AWS) to Aviatrix (AWS_Cloud)

      400

    • Inbound traffic from Aviatrix (AWS_Cloud) to FortiGate (Shared_With_AWS)

      400

The reference to port2 in the screenshots should be replaced with your own interface name that represents the internal facing interface.

Be sure to select ACCEPT for "action" and select ALL for "service."

Adding a Static Route

In the FortiGate UI, go to Network > Static Routes and add a new static route for traffic destined to "AWS_Cloud" to use the VPN tunnel.

:taticroute

If Named Address is disabled, be sure that you enabled Static Route Configuration on the Address configuration.

imageaddressstaticconfig

IPsec Monitor

  1. In the Fortigate UI, navigate to Dashboard > Network and click the IPsec widget.

  2. Select the Aviatrix tunnel, and click Bring Up.

  3. You can then check the tunnel status in CoPilot under Diagnostics > Cloud Routes.

Troubleshoot

Error Message

failed to get valid proposal

no suitable proposal found

Solution

Check that the Phase 1 authentication, encryption, and Diffie-Hellman groups match on both sides.

If you are experiencing low IPsec throughput, you may want to configure two commands on the Fortigate.

 config system global
set ipsec-asic-offload disable
end
 configure system global
set ipsec-hmac-offload disable
end