
! Amazon Web Services
! Virtual Private Cloud

! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
!
! Your VPN Connection ID                               : vpn-0363a544a262b4880
! Your Virtual Private Gateway ID         : vgw-06a2cb28979bd6fec
! Your Customer Gateway ID                            : cgw-07c5b37a554012b60
!
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway.
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration

Go to  VPN --> IPSEC Tunnels --> Create New (drop down) --> Select IPSEC Tunnel

VPN Creation Wizard Window appears

Select Template Type as “Custom”

Provide a Name for the VPN connection (Name must be shorter than 15 chars, best if shorter than 12): vpn-0363a544a262b4880-0

New VPN Tunnel Window Appears (Here we configure the VPN settings):

Under “Network” Section:
a. IP Version:     IPv4
b. Remote Gateway: Static IP Address
c. IP address: 18.198.85.36
d. Local Interface: wan1
e. Local Gateway: Select Specify and enter WAN port IP (Public IP)
f. Dead Peer Detection: Enable by selecting On Idle/ On Demand
g. Authentication Method: Pre-shared Key
h. Pre-Shared Key: zyLuRLk01w_VENyShLKTF2qoocnuIPSm
i. IKE Version: 2
Phase 1 Proposal:
j.  Encryption: aes128
k. Authentication: sha1
l. DH group: 2     ! and deselect 5
m. Keylife: 28800 seconds

! NAT Traversal is enabled by default but if your FortiGate device is not behind a NAT/PAT device, please deselect NAT Traversal.

! --------------------------------------------------------------------------------
! #2: IPSec Configuration

Under Phase 2 Selectors --> New Phase 2
a.        Name:  vpn-0363a544a262b4880-0
b.        Local Address: LAN subnet behind Fortigate/0.0.0.0/0
c.        Remote Address: AWS Private Subnet/0.0.0.0/0

Under Advanced
d.        Encryption: aes128
e.        Authentication: sha1
f.        Select Enable Replay Detection
g.        Select Perfect Forward Secrecy
h.        DH Group: 2 ! and deselect 5
i.        Keylife: 3600 seconds
j.        Enable Auto-negotiate   ! Autokey Keep Alive is enabled automatically when Auto-negotiate is enabled
k.        Click Ok

! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration

! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
!
! The address of the interface is configured with the setup for your
! Customer Gateway.  If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
! This is required in order for tunnel failover via gwdetect to function
!
! Perform this from the Global VDOM.

Go to Network Tab --> Interface --> wan1 and edit vpn-0363a544a262b4880-0

a. IP : 169.254.25.114
b. Remote IP: 169.254.25.113/30
c. Select Ping
d. Administrative Status: Up
e. Select Ok.

!You can set MTU and MSS on the tunnel by performing this from the CLI:
 config global
 config system interface
  edit "vpn-0363a544a262b4880-0" ! This name will be the same as the VPN tunnel name
    set mtu-override enable
    set mtu 1427
    set tcp-mss 1379
   next
end

! --------------------------------------------------------------------------------
! #4 Static Route Configuration
Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with the prefix 10.0.0.0/16 is provided below:
!
! This is configured from the root VDOM


Go to Network Tab --> Static Routes --> Create New

a. Destination: Subnet (10.0.0.0/16)
b. Interface: vpn-0363a544a262b4880-0 ! This is the VPN tunnel interface
c. Click Ok

! Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the
! tunnels, we would want to failover the traffic to the second tunnel. This is done by using "gwdetect" in fortigate.
! The gwdetect command will ping the other end of the tunnel, and check if the tunnel is up. If the pings fail, it will
! remove the static route from the routing table, and the second route in the table will become active.
!
! This can be done only using the CLI.
!
! The following config will tell the Fortigate device, what IP it should ping to test the tunnel. This IP should be
! the inside IP address of the virtual private gateway.
! This is required in order for tunnel failover via gwtect to function. Additionally, this is required to keep the tunnel up, since
! traffic must be sent from your side of the VPN tunnel to prevent the tunnel from being taken down.

config vdom
    edit root
        config router gwdetect
        edit 1
        set interface "vpn-0363a544a262b4880-0" ! This is the VPN tunnel interface
        set server "169.254.25.113"

! server IP is the AWS inside IP

! Using the following command, you can set the interval and failtime for gwdetect. Interval is number of seconds
! between pings. Failtime is the number of lost consecutive pings.Using the respective values of 2 and 5, your tunnel
! will failover in 10 seconds.

        set interval 2
        set failtime 5
    next
end

! --------------------------------------------------------------------------------
! #5: Firewall Policy Configuration
! Create a firewall policy permitting traffic from your local subnet to the VPC subnet and vice versa
! This example policy permits all traffic from the local subnet to the VPC.
!
!This is configured from the root VDOM


Go to Policy & Object tab --> Firewall Policy --> Create New

   a. Provide a Name for the Policy
   b. Incoming Interface/Zone = internal ! This is the interface out which your local LAN resides
   c. Source Address = all
   d. Outgoing Interface/Zone = "vpn-0363a544a262b4880-0" ! This is the VPN tunnel interface
   e. Destination Address = all
   f. Schedule = always
   g. Service = ALL
   h. Action = ACCEPT
   i. Click OK

! NAT is enabled for the policy by default, you can disable it.

! Now create a policy to permit traffic going the other way

   a. Create New
   b. Provide a Name for the Policy
   c. Incoming Interface/Zone = "vpn-0363a544a262b4880-0" ! This is the VPN tunnel interface
   d. Source Address = all
   e. Outgoing Interface/Zone = internal  ! This is the interface out which your local LAN resides
   f. Destination Address = all
   g. Schedule = always
   h. Service = ALL
   i. Action = ACCEPT
   j. Click OK


! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration

Go to  VPN --> IPSEC Tunnels --> Create New (drop down) --> Select IPSEC Tunnel

VPN Creation Wizard Window appears

Select Template Type as “Custom”

Provide a Name for the VPN connection (Name must be shorter than 15 chars, best if shorter than 12): vpn-0363a544a262b4880-1

New VPN Tunnel Window Appears (Here we configure the VPN settings):

Under “Network” Section:
a. IP Version:     IPv4
b. Remote Gateway: Static IP Address
c. IP address: 52.29.221.101
d. Local Interface: wan1
e. Local Gateway: Select Specify and enter WAN port IP (Public IP)
f. Dead Peer Detection: Enable by selecting On Idle/ On Demand
g. Authentication Method: Pre-shared Key
h. Pre-Shared Key: gKHDaXqdxKODpngoJdGIS4.T2KLS2enz
i. IKE Version: 2
Phase 1 Proposal:
j.  Encryption: aes128
k. Authentication: sha1
l. DH group: 2     ! and deselect 5
m. Keylife: 28800 seconds

! NAT Traversal is enabled by default but if your FortiGate device is not behind a NAT/PAT device, please deselect NAT Traversal.

! --------------------------------------------------------------------------------
! #2: IPSec Configuration

Under Phase 2 Selectors --> New Phase 2
a.        Name:  vpn-0363a544a262b4880-1
b.        Local Address: LAN subnet behind Fortigate/0.0.0.0/0
c.        Remote Address: AWS Private Subnet/0.0.0.0/0

Under Advanced
d.        Encryption: aes128
e.        Authentication: sha1
f.        Select Enable Replay Detection
g.        Select Perfect Forward Secrecy
h.        DH Group: 2 ! and deselect 5
i.        Keylife: 3600 seconds
j.        Enable Auto-negotiate   ! Autokey Keep Alive is enabled automatically when Auto-negotiate is enabled
k.        Click Ok

! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration

! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
!
! The address of the interface is configured with the setup for your
! Customer Gateway.  If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
! This is required in order for tunnel failover via gwdetect to function
!
! Perform this from the Global VDOM.

Go to Network Tab --> Interface --> wan1 and edit vpn-0363a544a262b4880-1

a. IP : 169.254.234.26
b. Remote IP: 169.254.234.25/30
c. Select Ping
d. Administrative Status: Up
e. Select Ok.

!You can set MTU and MSS on the tunnel by performing this from the CLI:
 config global
 config system interface
  edit "vpn-0363a544a262b4880-1" ! This name will be the same as the VPN tunnel name
    set mtu-override enable
    set mtu 1427
    set tcp-mss 1379
   next
end

! --------------------------------------------------------------------------------
! #4 Static Route Configuration
Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with the prefix 10.0.0.0/16 is provided below:
!
! This is configured from the root VDOM


Go to Network Tab --> Static Routes --> Create New

a. Destination: Subnet (10.0.0.0/16)
b. Interface: vpn-0363a544a262b4880-1 ! This is the VPN tunnel interface
c. Click Ok

! Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the
! tunnels, we would want to failover the traffic to the second tunnel. This is done by using "gwdetect" in fortigate.
! The gwdetect command will ping the other end of the tunnel, and check if the tunnel is up. If the pings fail, it will
! remove the static route from the routing table, and the second route in the table will become active.
!
! This can be done only using the CLI.
!
! The following config will tell the Fortigate device, what IP it should ping to test the tunnel. This IP should be
! the inside IP address of the virtual private gateway.
! This is required in order for tunnel failover via gwtect to function. Additionally, this is required to keep the tunnel up, since
! traffic must be sent from your side of the VPN tunnel to prevent the tunnel from being taken down.

config vdom
    edit root
        config router gwdetect
        edit 2
        set interface "vpn-0363a544a262b4880-1" ! This is the VPN tunnel interface
        set server "169.254.234.25"

! server IP is the AWS inside IP

! Using the following command, you can set the interval and failtime for gwdetect. Interval is number of seconds
! between pings. Failtime is the number of lost consecutive pings.Using the respective values of 2 and 5, your tunnel
! will failover in 10 seconds.

        set interval 2
        set failtime 5
    next
end

! --------------------------------------------------------------------------------
! #5: Firewall Policy Configuration
! Create a firewall policy permitting traffic from your local subnet to the VPC subnet and vice versa
! This example policy permits all traffic from the local subnet to the VPC.
!
!This is configured from the root VDOM


Go to Policy & Object tab --> Firewall Policy --> Create New

   a. Provide a Name for the Policy
   b. Incoming Interface/Zone = internal ! This is the interface out which your local LAN resides
   c. Source Address = all
   d. Outgoing Interface/Zone = "vpn-0363a544a262b4880-1" ! This is the VPN tunnel interface
   e. Destination Address = all
   f. Schedule = always
   g. Service = ALL
   h. Action = ACCEPT
   i. Click OK

! NAT is enabled for the policy by default, you can disable it.

! Now create a policy to permit traffic going the other way

   a. Create New
   b. Provide a Name for the Policy
   c. Incoming Interface/Zone = "vpn-0363a544a262b4880-1" ! This is the VPN tunnel interface
   d. Source Address = all
   e. Outgoing Interface/Zone = internal  ! This is the interface out which your local LAN resides
   f. Destination Address = all
   g. Schedule = always
   h. Service = ALL
   i. Action = ACCEPT
   j. Click OK




! Additional Notes and Questions
!  - Amazon Virtual Private Cloud Getting Started Guide:
!       http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
!  - Amazon Virtual Private Cloud Network Administrator Guide:
!       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide