Skip to main content
Skip table of contents

FortiOS 6.4.4 > ikev2 (dynamic)

Configuring Fortinet Next Generation Firewall

Version tested: Fortinet Next Generation Firewall version FortiOS 7.2

In this section we will refer to the configuration file you obtained from our UCCS Onboarding teams as “template conf” and will explain how to use its contents for configuring FortiOS 7.2.

As a reference for this guide, here is the full AWS file: FortiOS 6.4.4+ ikev2 (dynamic).txt

Interface names in AWS template are too long and need to be adjusted.


Create VPN Tunnels

To create VPN Tunnels go to VPN > IPSec Tunnels > click “Create New”

The VPN Creation Wizard appears, select “Custom” and click Next:

image-20250310-154206.png

Configure the tunnel as specified in the template conf #1 Internet Key Exchange (IKE) Configuration 

a. IP Version:     IPv4
b. Remote Gateway: Static IP Address
c. IP address: 3.126.101.234
d. Local Interface: wan1
e. Local Gateway: Select Specify and enter WAN port IP (Public IP)
f. Dead Peer Detection: Enable by selecting On Idle/ On Demand
g. Authentication Method: Pre-shared Key
h. Pre-Shared Key: knJNjlMhl9b1Ydt8V7xHxPeGp_gRGIvF
i. IKE Version: 2
Phase 1 Proposal:
j.  Encryption: aes128
k. Authentication: sha1
l. DH group: 2     ! and deselect 5
m. Keylife: 28800 seconds

image-20250310-154231.png
image-20250310-154243.png
image-20250310-154252.png

and continue with #2: IPSec Configuration

Under Phase 2 Selectors --> New Phase 2
a.        Name:  vpn-093bd262ad8d9a8b4-0
b.        Local Address: LAN subnet behind Fortigate/0.0.0.0/0
c.        Remote Address: AWS Private Subnet/0.0.0.0/0
Under Advanced
d.        Encryption: aes128
e.        Authentication: sha1
f.        Select Enable Replay Detection
g.        Select Perfect Forward Secrecy
h.        DH Group: 2 ! and deselect 5
i.        Keylife: 3600 seconds
j.        Enable Auto-negotiate   ! Autokey Keep Alive is enabled automatically when Auto-negotiate is enabled
k.        Click Ok

image-20250310-154317.png

and let’s do the same also for the IPSec Tunnel #2

a. IP Version:     IPv4
b. Remote Gateway: Static IP Address
c. IP address: 35.156.84.84
d. Local Interface: wan1
e. Local Gateway: Select Specify and enter WAN port IP (Public IP)
f. Dead Peer Detection: Enable by selecting On Idle/ On Demand
g. Authentication Method: Pre-shared Key
h. Pre-Shared Key: UUegcCakIsG7BnxbhROo0S0ZPUYOvEYS
i. IKE Version: 2
Phase 1 Proposal:
j.  Encryption: aes128
k. Authentication: sha1
l. DH group: 2     ! and deselect 5
m. Keylife: 28800 seconds

image-20250310-154342.png
image-20250310-154350.png

and

Under Phase 2 Selectors --> New Phase 2
a.        Name:  vpn-093bd262ad8d9a8b4-1
b.        Local Address: LAN subnet behind Fortigate/0.0.0.0/0
c.        Remote Address: AWS Private Subnet/0.0.0.0/0
Under Advanced
d.        Encryption: aes128
e.        Authentication: sha1
f.        Select Enable Replay Detection
g.        Select Perfect Forward Secrecy
h.        DH Group: 2 ! and deselect 5
i.        Keylife: 3600 seconds
j.        Enable Auto-negotiate   ! Autokey Keep Alive is enabled automatically when Auto-negotiate is enabled
k.        Click Ok
 

image-20250310-154415.png

Configure Tunnel interfaces

A tunnel interface is configured to be the logical interface associated with the tunnel. 

As defined in #3: Tunnel Interface Configuration we should configure the addresses accordingly:

a. IP : 169.254.92.226
b. Remote IP: 169.254.92.225/30
c. Select Ping
d. Administrative Status: Up
e. Select Ok.

Go to Networks > Interfaces > expand the physical interface attached to the tunnel interfaces and click on those tunnel interfaces:

image-20250310-154443.png
image-20250310-154454.png

do the same for the second interface:

a. IP : 169.254.53.94
b. Remote IP: 169.254.53.93/30
c. Select Ping
d. Administrative Status: Up
e. Select Ok.

image-20250310-154544.png

To set the MTU and MSS as reported in the template conf:

!You can set MTU and MSS on the tunnel by performing this from the CLI:

 config global
 config system interface
  edit "vpn-093bd262ad8d9a8b4-0" ! This name will be the same as the VPN tunnel name
    set mtu-override enable
    set mtu 1427
    set tcp-mss 1379
   next
end

Open the CLI Console 

image-20250310-154620.png

and configure both interfaces (AWS1 and AWS2):

image-20250310-154638.png

Configure BGP:

Go to Network > BGP, and configure accordingly to the template conf:

 a. Local-AS : 65000
 b. Router-ID: 3.125.234.186
 c. Click Apply
 d. Neighbor -> Create New:

  1. IP:  169.254.92.225

  2. Remote AS: 64512

  3. Click Add/Edit

and

 a. Local-AS : 65000
 b. Router-ID: 3.125.234.186
 c. Click Apply
 d. Neighbor -> Create New:

  1. IP:  169.254.53.93

  2. Remote AS: 64512

  3. Click Add/Edit

image-20250310-164957.png
image-20250310-165018.png
image-20250310-165043.png

Now configure the Prefix Lists and Route Maps needed for BGP.

Go to Network > Routing Objects:

image-20250310-165130.png
image-20250310-165145.png
image-20250310-165157.png
image-20250310-165216.png

so that at the end we will have this configuration:

image-20250310-165237.png

We can also use this script to configure the full BGP section:

config router bgp
    set as 65000
        config neighbor
            edit 169.254.92.225
            set remote-as 64512
        end
    end
end
config router bgp
    config neighbor
        edit 169.254.92.225
        set capability-default-originate enable
    end
end
end
config router prefix-list
    edit "default_route"
        config rule
            edit 1
                set prefix 0.0.0.0 0.0.0.0
            next
        end
    end
end
config router route-map
    edit "routemap1"
        config rule
            edit 1
                set match-ip-address "default_route"
                next
        end
    next
end
config router bgp
    config network
        edit 1
            set prefix 172.31.0.0 255.255.0.0
        next
end
config router bgp
    set as 65000
        config neighbor
            edit 169.254.53.93
            set remote-as 64512
        end
    end
end
config router bgp
    config neighbor
        edit 169.254.53.93
        set capability-default-originate enable
    end
end
end

Configure Firewall policies

We need to create at least two firewall policies permitting traffic from local network to VPN subnet and vice versa:

image-20250310-165310.png
image-20250310-165322.png
image-20250310-165336.png

Testing

Now the IPSec tunnels will both be up and running:

image-20250310-165354.png

Increase the security in the VPN connection

Now, since AWS side VPN tunnels support better security, we can adjust Fortinet configuration accordingly. We can use:

AES256 instead of AES128
SHA-256 instead of SHA1
Diffie-Hellman group >21 (up to 24) instead of DH2
FortiOS 7.2 supports DH32, but we should use latest version supported by both sides, namely DH21

Let’s adjust Fortinet configuration:

VPN > IPsec Tunnels > edit both tunnels with the new parameters:

image-20250310-165411.png

and

image-20250310-165425.png

Now the IPSec tunnels will be up and running with maximum security:

image-20250310-165441.png

We have done!

For more information and support please contact our UCCS Onboarding Team.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.