Introduction

This article guides you through configuring a Site-to-Site VPN between an AWS Transit Gateway with a VPN attachment and a Fortinet FortiGate firewall. It will also cover exchanging IPv4 routes using BGP to minimize manual effort and control routing advertising using BGP policies. We recommend you use BGP-capable devices, when available, because the BGP protocol offers robust capabilities to assist failover to the second VPN tunnel if the first tunnel goes down.

This guide covers:

• Creating a Customer Gateway on AWS
• Creating a Site-to-Site VPN connection
• Creating a Site-to-Site VPN connection on a Fortinet FortiGate firewall
• Creating policy rules that are required to establish a Site-to-Site VPN connection to AWS
• Establishing BGP sessions between your Transit Gateway (TGW) and a FortiGate firewall
• Verifying the connectivity between AWS and the FortiGate firewall across the VPN tunnel

Pre-requisites

• Familiarity with AWS Virtual Private Cloud (VPC), Transit Gateway, as well as VPC and TGW route tables.
• A TGW configured in your AWS account.
• VPCs attached to the TGW.
• Familiarity with BGP. For more information on BGP, please visit this guide.
• A Fortinet FortiGate firewall running FortiOS. This guide was written using FortiGate firewalls running FortiOS v7.4.7.
• One FortiGate firewall interface that is configured with a static and publicly routable IPv4 address.
• A default route configured on the FortiGate firewall pointing to the internet.

Note: the outside IPv4 address can be private if it is behind a Network Address Translation (NAT) device. In that case, the VPN traffic will use UDP port 4500 instead of the traditional UDP port 500. Further configuration will be required to support using a private IP address that is not covered in this guide.

Guide Architecture Overview

Figure 1: Guide architecture overview

The above diagram summarizes the architecture used in this guide. In the guide, we have 3 VPCs configured with IPv4 CIDRs. The 3 VPCs are attached to the transit gateway. Each VPC has applications running on port 80 with no access to the internet. The VPC CIDR blocks are configured as follows: VPC A - 10.50.0.0/16, VPC B - 10.60.0.0/16, VPC C - 10.70.0.0/16. The on-premises subnet is configured with a CIDR of 10.1.4.0/22.

Part 1: Configure the Customer Gateway on the AWS console

Navigate to VPC > Virtual Private Network > Customer Gateways

Select Create customer gateway:

• Enter the customer gateway Name tag.
• Enter a BGP ASN (autonomous system number). We are using ASN 65501 for the FortiGate Firewall (Customer Gateway) and 64512 for the Transit gateway. For more details about using a BGP ASN on with an AWS Site-to-Site VPN, please refer to this guide.
• Enter the Public IP address of the FortiGate firewall. In this guide, we are using interface Ethernet 1/1 on the FortiGate firewall.
• In this guide, we will use the pre-shared key method for authentication. Do not select a certificate ARN if you are following this guide. For more details about using certificate-based authentication with a Site-to-Site VPN, please refer to this guide.
• When finished, select Create customer gateway.

Figure 2: Creating the customer gateway

Part 2: Configure the AWS Site-to-Site VPN connection and associate it with the Transit Gateway

In this section, we will configure the VPN tunnels. AWS recommends using Internet Key Exchange version 2 (IKEv2) where possible, because of the lower overhead in establishing a tunnel and enhanced health check functionality, as compared to IKEv1. For more information on the benefits of IKEv2 with FortiGate, refer to this guide.

Navigate to VPC > Virtual Private Network (VPN) > Site-to-Site VPN connections

Select Create VPN Connection:

• Enter the VPN connection Name
• Select Transit gateway in Target gateway type and select the desired transit gateway.
• In the Customer gateway section, choose existing and select the customer gateway that was created in Part 1.
• In the Routing options section, choose Dynamic (require BGP).
• In the Tunnel inside IP version, select IPv4.
• Using an Accelerated Site-to-Site VPN connection is out of scope for this guide. For more details, refer to the User Guide.

Figure 3: Specifying the VPN connection details

• Expand the Tunnel 1 and Tunnel 2 options section.
• For the Local and Remote IPv4 network CIDR sections, leave the default 0.0.0.0/0. This will be controlled by firewall policy and routing advertisements, addressed in a later section of this guide.
• Enable the tunnel activity log and tunnel endpoint lifecycle control. AWS Site-to-Site VPN logs provide you with deeper visibility into your Site-to-Site VPN deployments. Site-to-Site VPN connection logs that provide details on IP Security (IPsec) tunnel establishment, IKE negotiations, and dead peer detection (DPD) protocol messages. Tunnel endpoint lifecycle control provides control over the schedule of endpoint replacements.

Figure 4: Enable VPN tunnel logging

We recommend being more selective with IKE Phase 1 and Phase 2 parameters. These options can be modified by selecting "Edit tunnel (#) options". Your decisions will depend on your specific compliance and security requirements. For a list of supported parameters, please refer to the VPN tunnel options documentation. Ensure modifications in this section are applied to both VPN tunnels.

Figure 5: Specify advanced VPN tunnel IKEv2 and IPSEC options

Encryption algorithms

AWS supports both AES128-GCM-16 and AES256-GCM-16. We recommend AES256-GCM-16 where supported and within requirements.

Integrity algorithms

Integrity algorithms ensure the sender’s identity and also ensure that the message has not been modified in transit. Select your SHA algorithm based on your customer gateway device support and security requirements. If you don’t have specific requirements, then we recommend using SHA-384 because of its performance and security characteristics.

DH group numbers

A Diffie-Hellman (DH) group determines how key material is generated for encryption. As with SHA, we recommend you pick DH groups based on compatibility with your customer gateway device and your security requirements. If you don’t have specific requirements, then we recommend using DH group 20 because of its security characteristics.

IKE version

To establish an IPsec tunnel, the IKE protocol is used. IKE has two iterations: IKEv1 and IKEv2. We recommend using IKEv2, as it gives some key performance optimizations over IKEv1.

For more details on how AWS secures the IPsec tunnel and the shared responsibility model, please refer to this blog post, AWS Site-to-Site VPN, choosing the right options to optimize performance.

After the tunnel creation, a VPN connection summary will be displayed.

Figure 6: VPN connection summary

Part 3: Configure the Site-to-Site VPN connection on the FortiGate firewall

In this section, we will guide you on how to configure the FortiGate tunnel.

If you are using a virtual FortiGate firewall, all of the configuration in this section must be performed from the root Virtual Domain (VDOM). For more information on VDOM types, visit this guide.

The VPN IP address and PSK details can be found in the downloadable sample configuration file available in the AWS console. The configuration file can be downloaded by navigating to VPC > Site-to-Site VPN Connections. After selecting the correct VPN tunnel from the list, navigate to the Tunnel details tab. You will need to make note of the following information for each VPN tunnel:

• Outside IP address
• Inside IPv4 CIDR details (available in the downloadable configuration file)
  • Local IP: 169.254.x.x/30
  • Remote IP: 169.254.x.x/30
• Pre-shared authentication (available in the downloadable configuration file).

Figure 7: VPN connection inside IPv4 CIDR blocks

In the FortiGate firewall, navigate to VPN > IPsec Wizard.

Enter a name for the VPN tunnel, and under Template type, select Custom. Take note of the VPN tunnel name as it will be used later in the configuration.

Figure 8: FortiGate VPN Creation Wizard

In the Remote Gateway field, select Static IP Address and enter the outside IP address of the AWS VPN tunnel. Set the Interface to the physical interface used as WAN interface (wan1 in the example below).

Ensure the remaining settings are configured in the Network section as follows:

• NAT Traversal: Disabled
• Dead Peer Detection: On Idle

Figure 9: FortiGate New VPN Tunnel

In the Authentication section, enter the pre-shared key value for Tunnel 1 and select IKE Version 2.

Figure 10: FortiGate VPN connection authentication

For the Phase 1 proposal configuration settings, ensure that they match the supported encryption and authentication algorithms that you selected during the AWS Site-to-site VPN setup configuration.

• In the Diffie-Hellman Group field, select 20.
• Set the value of the Key Lifetime (seconds) to 28800.

Figure 11: FortiGate advanced phase 1 encryption settings

For the phase two configuration, we will need to set the phase 2 selectors. Since we are using a dynamic Site-to-Site VPN, we will be using a broad traffic selector to ensure coverage for all IP prefixes. To accomplish this, we will be configuring the following parameters for local address and remote address:

• Local Address: 0.0.0.0.0/0
• Remote Address: 0.0.0.0/0

Traffic can be limited using dynamic routing, and by setting firewall policies to restrict access.

In the Phase 2 Proposal section, expand the Advanced section and set the following parameters:

• Encryption and Authentication should match the settings configured on the AWS VPN tunnel (AES256 and SHA256 in this example)
• Select ‘Enable Replay Detection’
• Select ‘Enable Perfect Forward Secrecy (PFS)’
• Diffie-Hellman Group: select ‘20’ (in this example)
• Select ‘Auto-negotiate’
• Key Lifetime: 3600 seconds

Select OK to exit the New VPN Tunnel section.

Figure 12: FortiGate phase 2 settings

Repeat these same steps to configure the second VPN tunnel.

Part 4: Create firewall objects and firewall policies on the FortiGate

In this section we will be configuring firewall objects on the FortiGate. These firewall objects will then be referenced in the FortiGate firewall policies. The firewall policy is required to allow for the VPN to be established and to allow traffic into the tunnel.

• In the Policy & Objects section, select Addresses and create a new firewall object and specify the AWS VPC CIDR, under interface select "any" (default value), then select OK. Please note that this guide uses a summary prefix (10.0.0.0/9) that includes all 3 of the AWS VPCs CIDRs for simplicity. Please make sure you review and follow your organization’s security standards.

Figure 13: FortiGate address object creation

• Create a firewall policy for the outgoing traffic. Go to Policy & Objects > Firewall Policy, and create a new policy. Enter a name for the policy and select the appropriate incoming/outgoing interfaces, source/destination address objects, and service objects. For the destination object we will be referencing the firewall object we had previously created. FortiOS will use the specified source and destination values to decide if traffic is allowed or denied. This configuration uses BGP to exchange routing information between on-premises and AWS. In this case, disabling NAT is required to avoid any routing issues.

Figure 14: FortiGate new policy creation

• Add the second VPN tunnel interface to this firewall policy. Under Policy & Objects > Firewall Policy, select the policy that was just created, choose "More" and select "Edit in CLI" to bring up the terminal session.

Figure 15: Choosing the "Edit in CLI" option for the FortiGate firewall policy

• Modify the firewall policy by adding both VPN tunnel names to the dstintf statement. Note: You must enter the "end" command in order for changes to be committed.
• set dstinf "aws-vpn-1" "aws-vpn-2"

Figure 16: Editing the FortiGate firewall policy using the CLI

• Follow the same steps to create another firewall policy for incoming traffic, mirroring the outgoing firewall policy configuration.
• set srcint "aws-vpn-1" "aws-vpn-2"

Figure 17: Setting the source interface for the FortiGate firewall policy

• Your policy should be similar to the screenshot below

Figure 18: Confirmation of the FortiGate firewall policy settings

Part 5: Tunnel Interface Configuration

Configuring the Tunnel interfaces

In this section we will configure the tunnel interface. All VPN traffic will be routed through the tunnel interfaces.

Navigate to Network > Interfaces. Expand the Physical Interface section, then expand the section for your WAN port.

Figure 19: Selecting the wan1 interface on the FortiGate firewall

Configure the tunnel interface using the Inside IPv4 CIDR details that were previously gathered in Part 3 of this guide. This information is available in the VPN configuration file, and in the AWS Console under VPC > Site-to-Site VPN Connections in the Tunnel Details tab**.**

Select PING in the Administrative Access section to allow for troubleshooting and validation during the testing phase. Consider disabling this afterwards and follow your organization’s security standards.

Figure 20: Configuring the inside tunnel IP address on the FortiGate firewall

Repeat the same steps to configure the tunnel interface for the second VPN tunnel.

Part 6: BGP Routing Configuration

In this guide, we have enabled equal-cost multi-path routing (ECMP) allowing the ForiGate to utilize two VPN tunnel simultaneously. This configuration offers two key benefits:

1. Increased network throughput by using both tunnels at the same time
2. Better resource utilization by distributing traffic across both paths

For details on configuring ECMP on your FortiGate firewall, please refer to this guide. For more information on AWS Site-to-Site VPN bandwidth and throughput specifications, review this documentation.

Step 1: Enable ECMP on the Transit Gateway (optional)

If using the ECMP feature, you must also enable ECMP on your transit gateway by selecting the VPN ECMP support option, as shown below.

Figure 21: Configuring the VPN ECMP support option on the TGW

Step 2: Configure BGP on the FortiGate

This guide uses BGP within the tunnel to exchange prefixes between the Transit Gateway and the FortiGate VM. Note that the local BGP ASN of the Customer Gateway is configured with a value of 65501 by default. We will configure two BGP peering sessions, one for each tunnel interface.

Navigate to Network > BGP, enter the BGP ASN and a Router ID. In this guide, we are using the IP address of the customer gateway as the Router ID. You may select your own, as long as it is uniquely assigned to your FortiGate device. In the Neighbors section, select Create New.

Figure 22: Configuring the Local AS and Router ID on the FortiGate firewall

In the Add Neighbor section, enter the IP address for the remote tunnel interface and the "Remote AS" as specified in the Inside IPv4 CIDR details that were gathered in Step 3. Choose Apply to go back to the Local BGP Options section.

Notes:

1. We are not entering a value for "Local AS" here as we have already set a value for "Local AS" at the global BGP level. The local AS under a BGP neighbor is primarily used to handle complex peering scenarios (such as AS number conflicts or multi-homing requirements). Review this technical article for additional details.
2. AWS Site-to-Site VPN does not offer an option to add BGP password authentication as the BGP session is being established over an authenticated and encrypted VPN tunnel. Review this Re:Post article for additional details.

Repeat these steps for the remaining tunnel interface.

Figure 23: Configuring the BGP neighbor on the Fortigate firewall

In the Networks section, we will add the CIDRs that we want to advertise to the AWS TGW. In this guide, we are going to advertise the subnet for the LAN interface, 10.1.4.0/22. Please follow the security policy and standards for your organization. When finished, choose Apply. This route will be advertised to the AWS Transit Gateway BGP peers.

Figure 24: Configuring the local networks to advertise across the AWS VPN

We will use the CLI to configure eBGP multipath for increased throughput and load balancing across the two VPN tunnel interfaces. To launch a CLI session from the FortiOS web interface, select the CLI icon (>_).

Figure 25: Selecting the CLI icon in the FortiGate firewall

Run these commands to enable eBGP multipath.

• config router bgp
• set ebgp-multipath enable
• end

Figure 26: FortiGate BGP configuration statements

Part 7: Verification & Testing

Step 1: AWS Console Checks

Now that the VPN connections are configured, we must verify connectivity. In the AWS console, navigate to VPC > Transit Gateways > Transit Gateway Route Tables.

Select your route table. If the VPN and BGP are functioning properly, the routes advertised via the FortiGate VPN will be listed in the TGW route table.

Figure 27: Viewing the TGW route table details

The AWS VPN tunnel status will show as Up, with the number of BGP routes received also displayed.

Figure 28: Viewing the AWS VPN tunnel status

Validate the heath of the VPN connection by viewing the CloudWatch Logs log entries. In the AWS Console, navigate to CloudWatch > Logs > Log groups > <your VPN log group name>. The logs will show various details indicating the status of the VPN connection, including IKE phase states. These logs are useful during troubleshooting or validation.

Figure 29: Viewing the VPN logs in CloudWatch Logs

Step 2: FortiGate Checks

On the FortiGate, navigate to VPN > IPsec Tunnels. The status of both tunnels will be "Up".

Figure 30: Validating the VPN tunnel status in the FortiGate firewall

Use the CLI to verify routing table information. To launch a CLI session from the FortiOS web interface, select the CLI icon (>_). Then issue the following commands:

• get router info bgp summary

This command displays BGP neighbor status, and a detailed breakdown of BGP metrics.

• get router info routing-table all

This command displays prefixes present in all route tables. The routes received from the Transit Gateway will appear as BGP prefixes.

Figure 31: Viewing the BGP route table using the FortiGate CLI

Part 8: Connectivity Test

To test our setup, we will be performing ICMP ping and HTTP requests from a server in the on-premises network.

• The on-premises server IP is in the 10.1.4.0/22 network
• Development VPC endpoint: 10.50.1.59
• Staging VPC endpoint: 10.60.6.181
• Production VPC endpoint: 10.70.2.117

Run a ping command with the syntax: ping <your IP address in a VPC> -c 1 to send an ICMP packet. Repeat this process for any other networks advertised from the Transit Gateway.

In this guide, we have web servers running in a VPC that are accessible over port 80. To test, run curl <your HTTP server IP address in a VPC> and observe the output.

Figure 32: Validating traffic from an Amazon EC2 instance to an on-premises server using ICMP and curl

For more information on curl, please refer to the documentation.

Part 9: Cleanup

The intention of this guide was to assist you in configuring a Site-to-Site VPN connection in a production environment. If this was created for temporary purposes, follow these steps to clean up your AWS environment so that you do not incur unnecessary costs.

1. Clean up AWS resources.
   1. Delete the VPN connection.
      1. VPC > Virtual Private Network (VPN) > Site-to-Site VPN connections > Select the VPN connection > from Actions Menu > Select Delete VPN connection.
   2. Delete the customer gateway
      1. VPC > Virtual Private Network (VPN) > Customer gateways > Select the customer gateway > from Actions Menu > Delete customer gateway
2. Clean up the FortiGate firewall configuration.
   1. Delete the BGP configuration
      1. Delete both BGP peers by navigating to Network > BGP > select the peer and then delete each of them
      2. Delete the BGP Networks Network > BGP > Networks delete each of the prefixes
   2. Delete the firewall policies
      1. Under Policy & Objects > Firewall Policy delete each of the policies associated with the VPN tunnel interfaces
   3. Delete the IPsec Tunnels by navigating to VPN > IPSec Tunnels.

Conclusion

In this guide, we have covered detailed best practices for configuring a Site-to-Site VPN connection between a FortiGate firewall and an AWS Transit Gateway with a VPN attachment, and validated connectivity.

When configuring security settings between a FortiGate firewall and AWS, always refer to the latest AWS Well-Architected Framework Security Pillar documentation, as well as FortiGate’s Key Firewall Best Practices.

Please see this related re:Post article to accomplish the same task but using IPv6 connectivity.

Authors: Carlos Bauer, Sreyansh Bhupal, Tyler Applebaum

Special thanks to: Pablo Sanchez Carmona, Nikesh Preethapal