LoginSignup
3
3

More than 5 years have passed since last update.

@isss802

AWS VPN Fortigate設定

Last updated at Posted at 2017-11-06

AWS-VPN-Fortigate

FortigateとのAWSのVPN接続を行う際の設定例

検証機:FortiGate-60C
ファーム:fortios 5.0+

  • BGPにて経路を学習
  • 経路集約を実施
  • 暗号化強度を変更(dh14/aes256/sha256)

Config

IPSEC

# IPSEC 0
config vpn ipsec phase1-interface
 edit vpn-<<ID>>-0
   set interface "wan1"
   set dpd enable
   set local-gw <<Local-Global-IP-0>>
   set dhgrp 14
   set proposal aes256-sha256
   set keylife 28800
   set remote-gw <<Remote-Global-IP-0>>
   set psksecret <<Secret-Key-0>>
   set dpd-retryinterval 10
 next
end

config vpn ipsec phase2-interface
 edit "vpn-<<ID>>-0"
  set phase1name "vpn-<<ID>>-0"
  set proposal aes256-sha256
  set dhgrp 14
  set pfs enable
  set keylifeseconds 3600
 next
end

config system interface
 edit "vpn-<<ID>>-0"
  set vdom "root"
  set ip <<Tunnel-Local-IP-0>> 255.255.255.255 
  set allowaccess ping 
  set type tunnel 
  set tcp-mss 1350
  set remote-ip <<Tunnel-Remote-IP-0>>
  set interface "wan1"
 next
end

# IPSEC 1
config vpn ipsec phase1-interface
 edit vpn-<<ID>>-1
   set interface "wan1"
   set dpd enable
   set local-gw <<Local-Global-IP-1>>
   set dhgrp 14
   set proposal aes256-sha256
   set keylife 28800
   set remote-gw <<Remote-Global-IP-1>>
   set psksecret <<Secret-Key-1>>
   set dpd-retryinterval 10
 next
end

config vpn ipsec phase2-interface
 edit "vpn-<<ID>>-1"
  set phase1name "vpn-<<ID>>-1"
  set proposal aes256-sha256
  set dhgrp 14
  set pfs enable
  set keylifeseconds 3600
 next
end

config system interface
 edit "vpn-<<ID>>-1"
  set vdom "root"
  set ip <<Tunnel-Local-IP-1>> 255.255.255.255 
  set allowaccess ping 
  set type tunnel 
  set tcp-mss 1350
  set remote-ip <<Tunnel-Remote-IP-1>>
  set interface "wan1"
 next
end

BGP

# BGP 0/1
config router bgp
 set as <<BGP-Local-AS>>
 set holdtime-timer 30
 set keepalive-timer 10
 set graceful-restart enable
 config neighbor
  edit <<BGP-Neighbor-IP-0>>
   set remote-as <<BGP-Remote-AS>>
  end
 config neighbor
  edit <<BGP-Neighbor-IP-1>>
   set remote-as <<BGP-Remote-AS>>
 end
 config aggregate-address
  edit 1
   set prefix <<Aggregate-Address>>/<<Aggregate-Prefix>>
   set summary-only enable
 end
 config network
  edit 1
   set prefix <<Network-Address>> <<Subnet-Mask>>
 end
end

Firewall Policy

# FW 0
config firewall policy
 edit 100
  set srcintf "vpn-<<ID>>-0"
  set dstintf internal
   set srcaddr all
   set dstaddr all
  set action accept
  set schedule always
   set service ALL
  next
end

config firewall policy
 edit 101
  set srcintf internal
  set dstintf "vpn-<<ID>>-0"
   set srcaddr all
   set dstaddr all
  set action accept
  set schedule always
   set service ALL
  next
end

# FW 1
config firewall policy
 edit 102
  set srcintf "vpn-<<ID>>-1"
  set dstintf internal
   set srcaddr all
   set dstaddr all
  set action accept
  set schedule always
   set service ALL
  next
end

config firewall policy
 edit 103
  set srcintf internal
  set dstintf "vpn-<<ID>>-1"
   set srcaddr all
   set dstaddr all
  set action accept
  set schedule always
   set service ALL
  next
end
3
3
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
3
3