gcp
fortigate

GCP - Cloud VPN Fortigate (Static)

More than 1 year has passed since last update.

Cloud VPN

FortigateとGCP Cloud VPNの接続を検証

・ドキュメント
https://cloud.google.com/compute/docs/vpn/creating-vpns#configuring_firewall_rules
https://cloud.google.com/compute/docs/cloudrouter
https://cloud.google.com/compute/docs/vpn/advanced
https://cloud.google.com/files/CloudVPNGuide-UsingCloudVPNwithFortinetFortiGate300C.pdf

GCP

構成

alt

設定

  • スタティック経路
  • IKEv2
  • フェーズ1 AES256-SHA256
  • フェーズ2 AES265-SHA1
  • DH-Group14

パラメータ

ネットワーク設定情報

項目 内容
拠点側ネットワークアドレス 10.1.0.0 255255.0.0
GCP側ネットワークアドレス 10.100.0.0 255255.0.0
拠点側グローバルIPアドレス xxx.xxx.xxx.xxx
GCP側グローバルIPアドレス xxx.xxx.xxx.xxx
IKEバージョン v2
Pre-Shared Key XXXXXXXXXXXXXX(任意の文字列)

IKE Phase 1 情報

項目 内容
Encription AES-256
Authentication SHA-256
DH Group 14

IKE Phase 2 情報

項目 内容
Encription AES-256
Authentication SHA-1
DH Group 14

Fortigate Config

IPSEC

config vpn ipsec phase1-interface
 edit vpn-<<ID>>-0
   set interface "wan1"
   set ike-version 2
   set dpd enable
   set local-gw <<Local-Global-IP-0>>
   set dhgrp 14
   set proposal aes256-sha256
   set keylife 28800
   set remote-gw <<Remote-Global-IP-0>>
   set psksecret <<Secret-Key-0>>
   set dpd-retryinterval 10
 next
end

config vpn ipsec phase2-interface
 edit "vpn-<<ID>>-0"
  set phase1name "vpn-<<ID>>-0"
  set proposal aes256-sha1
  set dhgrp 14
  set pfs enable
  set keylifeseconds 3600
  set auto-negotiate enable
 next
end

FW

config firewall policy
 edit 100
  set srcintf "vpn-<<ID>>-0"
  set dstintf internal
   set srcaddr all
   set dstaddr all
  set action accept
  set schedule always
   set service ALL
  next
end

config firewall policy
 edit 101
  set srcintf internal
  set dstintf "vpn-<<ID>>-0"
   set srcaddr all
   set dstaddr all
  set action accept
  set schedule always
   set service ALL
  next
end

Static

config router static
    edit 1999
        set device "vpn-<<ID>>-0"
        set dst <<GCP-Network-Address>> <<GCP-Network-Subnet>>
    next
end