AWS-VPN-Fortigate
FortigateとのAWSのVPN接続を行う際の設定例
検証機:FortiGate-60C
ファーム:fortios 5.0+
- BGPにて経路を学習
- 経路集約を実施
- 暗号化強度を変更(dh14/aes256/sha256)
Config
IPSEC
# IPSEC 0
config vpn ipsec phase1-interface
edit vpn-<<ID>>-0
set interface "wan1"
set dpd enable
set local-gw <<Local-Global-IP-0>>
set dhgrp 14
set proposal aes256-sha256
set keylife 28800
set remote-gw <<Remote-Global-IP-0>>
set psksecret <<Secret-Key-0>>
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "vpn-<<ID>>-0"
set phase1name "vpn-<<ID>>-0"
set proposal aes256-sha256
set dhgrp 14
set pfs enable
set keylifeseconds 3600
next
end
config system interface
edit "vpn-<<ID>>-0"
set vdom "root"
set ip <<Tunnel-Local-IP-0>> 255.255.255.255
set allowaccess ping
set type tunnel
set tcp-mss 1350
set remote-ip <<Tunnel-Remote-IP-0>>
set interface "wan1"
next
end
# IPSEC 1
config vpn ipsec phase1-interface
edit vpn-<<ID>>-1
set interface "wan1"
set dpd enable
set local-gw <<Local-Global-IP-1>>
set dhgrp 14
set proposal aes256-sha256
set keylife 28800
set remote-gw <<Remote-Global-IP-1>>
set psksecret <<Secret-Key-1>>
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "vpn-<<ID>>-1"
set phase1name "vpn-<<ID>>-1"
set proposal aes256-sha256
set dhgrp 14
set pfs enable
set keylifeseconds 3600
next
end
config system interface
edit "vpn-<<ID>>-1"
set vdom "root"
set ip <<Tunnel-Local-IP-1>> 255.255.255.255
set allowaccess ping
set type tunnel
set tcp-mss 1350
set remote-ip <<Tunnel-Remote-IP-1>>
set interface "wan1"
next
end
BGP
# BGP 0/1
config router bgp
set as <<BGP-Local-AS>>
set holdtime-timer 30
set keepalive-timer 10
set graceful-restart enable
config neighbor
edit <<BGP-Neighbor-IP-0>>
set remote-as <<BGP-Remote-AS>>
end
config neighbor
edit <<BGP-Neighbor-IP-1>>
set remote-as <<BGP-Remote-AS>>
end
config aggregate-address
edit 1
set prefix <<Aggregate-Address>>/<<Aggregate-Prefix>>
set summary-only enable
end
config network
edit 1
set prefix <<Network-Address>> <<Subnet-Mask>>
end
end
Firewall Policy
# FW 0
config firewall policy
edit 100
set srcintf "vpn-<<ID>>-0"
set dstintf internal
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
next
end
config firewall policy
edit 101
set srcintf internal
set dstintf "vpn-<<ID>>-0"
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
next
end
# FW 1
config firewall policy
edit 102
set srcintf "vpn-<<ID>>-1"
set dstintf internal
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
next
end
config firewall policy
edit 103
set srcintf internal
set dstintf "vpn-<<ID>>-1"
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
next
end