FortiOS 6.4.4 > ikev2 (static)
Configuring Fortinet Next Generation Firewall
Version tested: Fortinet Next Generation Firewall version FortiOS 7.2
In this section we will refer to the configuration file you obtained from our UCCS Onboarding teams as “template conf” and will explain how to use its contents for configuring FortiOS 7.2.
As a reference for this guide, here is the full AWS file: FortiOS 6.4.4+ ikev2 (static).txt
Interface names in AWS template are too long and need to be adjusted.
Create VPN Tunnels
To create VPN Tunnels go to VPN > IPSec Tunnels > click “Create New”
The VPN Creation Wizard appears, select “Custom” and click Next:

Configure the tunnel as specified in the template conf #1 Internet Key Exchange (IKE) Configuration
a. IP Version: IPv4
b. Remote Gateway: Static IP Address
c. IP address: 18.198.85.36
d. Local Interface: wan1
e. Local Gateway: Select Specify and enter WAN port IP (Public IP)
f. Dead Peer Detection: Enable by selecting On Idle/ On Demand
g. Authentication Method: Pre-shared Key
h. Pre-Shared Key: zyLuRLk01w_VENyShLKTF2qoocnuIPSm
i. IKE Version: 2
Phase 1 Proposal:
j. Encryption: aes128
k. Authentication: sha1
l. DH group: 2 ! and deselect 5
m. Keylife: 28800 seconds



and continue with #2: IPSec Configuration
Under Phase 2 Selectors --> New Phase 2
a. Name: vpn-0363a544a262b4880-0
b. Local Address: LAN subnet behind Fortigate/0.0.0.0/0
c. Remote Address: AWS Private Subnet/0.0.0.0/0
Under Advanced
d. Encryption: aes128
e. Authentication: sha1
f. Select Enable Replay Detection
g. Select Perfect Forward Secrecy
h. DH Group: 2 ! and deselect 5
i. Keylife: 3600 seconds
j. Enable Auto-negotiate ! Autokey Keep Alive is enabled automatically when Auto-negotiate is enabled
k. Click Ok

and let’s do the same also for the IPSec Tunnel #2
Under “Network” Section:
a. IP Version: IPv4
b. Remote Gateway: Static IP Address
c. IP address: 52.29.221.101
d. Local Interface: wan1
e. Local Gateway: Select Specify and enter WAN port IP (Public IP)
f. Dead Peer Detection: Enable by selecting On Idle/ On Demand
g. Authentication Method: Pre-shared Key
h. Pre-Shared Key: gKHDaXqdxKODpngoJdGIS4.T2KLS2enz
i. IKE Version: 2
Phase 1 Proposal:
j. Encryption: aes128
k. Authentication: sha1
l. DH group: 2 ! and deselect 5
m. Keylife: 28800 seconds



and
Under Phase 2 Selectors --> New Phase 2
a. Name: vpn-0363a544a262b4880-1
b. Local Address: LAN subnet behind Fortigate/0.0.0.0/0
c. Remote Address: AWS Private Subnet/0.0.0.0/0
Under Advanced
d. Encryption: aes128
e. Authentication: sha1
f. Select Enable Replay Detection
g. Select Perfect Forward Secrecy
h. DH Group: 2 ! and deselect 5
i. Keylife: 3600 seconds
j. Enable Auto-negotiate ! Autokey Keep Alive is enabled automatically when Auto-negotiate is enabled
k. Click Ok

Configure Tunnel interfaces
A tunnel interface is configured to be the logical interface associated with the tunnel.
As defined in #3: Tunnel Interface Configuration we should configure the addresses accordingly:
a. IP : 169.254.25.114
b. Remote IP: 169.254.25.113/30
c. Select Ping
d. Administrative Status: Up
e. Select Ok.
Go to Networks > Interfaces > expand the physical interface attached to the tunnel interfaces and click on those tunnel interfaces:


do the same for the second interface:
a. IP : 169.254.234.26
b. Remote IP: 169.254.234.25/30
c. Select Ping
d. Administrative Status: Up
e. Select Ok.

To set the MTU and MSS as reported in the template conf:
!You can set MTU and MSS on the tunnel by performing this from the CLI:
config global
config system interface
edit "vpn-0363a544a262b4880-1" ! This name will be the same as the VPN tunnel name
set mtu-override enable
set mtu 1427
set tcp-mss 1379
next
end
Open the CLI Console

and configure both interfaces (AWS1 and AWS2):

Configure Static Routes
Configure static routes to route VPC network over the tunnel interfaces.
Go to Network > Static Routes and create:


We setup the two routes with the same “Distance” but different “Priority” for failover of traffic between tunnels like explained hereunder.
VPN Monitor
AWS configuration wants to have 2 VPN tunnels active.
The issue in having 2 VPN tunnels active is that the control of sessions can get very messed up or you drop packets because of the stateful operation of the Fortigate firewall.
There are at least 2 ways to do this: using VPN monitoring with static routing or via BGP.
In this static configuration we need to configure VPN monitoring.
It’s very simple: just edit the secondary tunnel interface and set as monitor the primary tunnel interface, so that we have a failover of traffic between tunnels:
config vpn ipsec phase1-interface
edit "secondary-tunnel-interface"
set monitor "primary-tunnel-interface"
next
end
Using the CLI Console in our example:

Configure Firewall policies
We need to create at least two firewall policies permitting traffic from local network to VPN subnet and vice versa:



Testing
Going back to VPN > IPsec Tunnels we should be able to see the primary tunnel up and the secondary tunnel “inactive”:

Increase the security in the VPN connection
Now, since AWS side VPN tunnels support better security, we can adjust Fortinet configuration accordingly. We can use:
AES256 instead of AES128
SHA-256 instead of SHA1
Diffie-Hellman group >21 (up to 24) instead of DH2
FortiOS 7.2 supports DH32, but we should use latest version supported by both sides, namely DH21
Let’s adjust Fortinet configuration:
VPN > IPsec Tunnels > edit both tunnels with the new parameters:

and

Now the IPSec tunnels will be up and running with maximum security:

We have done!
For more information and support please contact our UCCS Onboarding Team.