All Products
Search

This Product

    VPN Gateway:Configure a FortiGate firewall

    Document Center

    VPN Gateway:Configure a FortiGate firewall

    Last Updated:Apr 02, 2026

    Connect a data center FortiGate firewall to Alibaba Cloud VPN Gateway over IPsec-VPN in dual-tunnel mode. This guide covers both static routing and BGP dynamic routing on FortiOS 7.4.4. Estimated time: 30–45 minutes (including verification).

    Scenario

    image

    A company runs a Virtual Private Cloud (VPC) (CIDR block: 10.0.0.0/16) on Alibaba Cloud with an Elastic Compute Service (ECS) instance. The company's data center (CIDR block: 192.168.0.0/16) needs to communicate with the VPC. The FortiGate firewall in the data center establishes an IPsec-VPN connection to Alibaba Cloud in dual-tunnel mode using a public IP address.

    To use single-tunnel mode instead, see Appendix: Single-tunnel mode configuration.

    Choose a routing protocol

    Both routing protocols deliver the same connectivity. Choose based on your network complexity:

    Static routing BGP dynamic routing
    Configuration complexity Simple Moderate
    Route updates Manual Automatic
    Best for Stable network topologies Frequently changing networks
    Failover Automatic (via administrative distance) Automatic (via BGP)

    For production environments, use BGP dynamic routing — it propagates route changes automatically without manual intervention.

    Network planning

    CIDR block plan

    Resource CIDR block IP addresses
    Data center 192.168.0.0/16 Server: 192.168.10.211
    FortiGate firewall 192.168.0.0/16 WAN (port1): 122.XX.XX.248 (public); LAN (port2): 192.168.10.221/24 (private)
    VPC Primary: 10.0.0.0/16; vSwitch 1: 10.0.10.0/24; vSwitch 2: 10.0.20.0/24 ECS: 10.0.10.247
    VPN Gateway N/A IPsec address 1: 8.XX.XX.146; IPsec address 2: 8.XX.XX.74
    The system assigns IP addresses to the VPN Gateway automatically when you create it.

    BGP configuration (BGP dynamic routing only)

    Skip this section if you plan to use static routing.

    Resource Tunnel Tunnel CIDR block BGP IP address Local ASN
    VPN Gateway Tunnel 1 169.254.10.0/30 169.254.10.1 65535
    Tunnel 2 169.254.20.0/30 169.254.20.1
    FortiGate firewall Tunnel 1 169.254.10.0/30 169.254.10.2 65500
    Tunnel 2 169.254.20.0/30 169.254.20.2
    Each tunnel on a VPN Gateway must use a unique tunnel CIDR block.

    VPN configuration parameters

    Tunnel 1 is the active tunnel and Tunnel 2 is the standby tunnel. Both tunnels use the same Internet Key Exchange (IKE) and IPsec parameters. The values on Alibaba Cloud and the FortiGate firewall must match exactly.

    Parameter

    Sample value on Alibaba Cloud

    Sample value on the FortiGate firewall

    Pre-shared key

    123456****

    123456****

    Internet Key Exchange (IKE)

    IKE version

    ikev2

    ikev2

    Encryption algorithm

    des

    des

    Authentication algorithm

    sha1

    sha1

    Diffie-Hellman (DH) group

    group2

    group2

    Security association (SA) lifetime

    86400 seconds

    86400 seconds

    IPsec configurations

    Encryption algorithm

    des

    des

    Authentication algorithm

    sha1

    sha1

    DH group

    group2

    group2

    SA lifetime

    86400 seconds

    86400 seconds

    Important

    This example uses DES and SHA1 for compatibility with FortiGate devices that have license restrictions. DES is a legacy algorithm. For production environments, upgrade to AES-128 or AES-256. Use a strong, random pre-shared key with at least 20 characters (uppercase letters, lowercase letters, digits, and special characters). For better security, use DH group14 (2048-bit) or higher.

    Prerequisites

    Before you begin, ensure that you have:

    • Completed the Alibaba Cloud VPN configuration. This guide covers only the FortiGate firewall side.

    • Verified that the firewall protecting the FortiGate WAN interface allows the following traffic:

      Direction Protocol Port/Protocol number Purpose
      Inbound UDP 500 IKE negotiation
      Inbound UDP 4500 NAT traversal
      Outbound UDP 500 IKE negotiation
      Outbound UDP 4500 NAT traversal
    In this scenario, you create only one customer gateway. When you create the IPsec-VPN connection, associate both Tunnel 1 and Tunnel 2 with the same customer gateway.
    On FortiOS 7.2 and later, the default local-in policy may block IKE negotiation traffic. If tunnels fail to establish, check whether a local-in policy explicitly allows UDP ports 500 and 4500 on the WAN interface (port1).

    Configure the FortiGate firewall

    This configuration is verified on FortiOS 7.4.4. If you use a different version, some commands may vary — consult the FortiOS documentation for your version.
    Warning

    The edit <number> command overwrites any existing configuration with the same number on your device. Before proceeding, check your existing configurations: Use unused configuration numbers, or choose higher numbers such as 100, 101, and 102 to avoid conflicts.

    show vpn ipsec phase1-interface
show firewall policy
show router static

    Static routing

    1. Open the FortiGate CLI.

    2. Configure Phase 1 (IKE) for both tunnels.

      # Tunnel 1 Phase 1
config vpn ipsec phase1-interface
 edit "to_ali_tun1"
 set interface "port1"             # WAN interface (public network egress)
 set ike-version 2
 set peertype any
 set net-device disable
 set proposal des-sha1
 set localid-type address          # Match the remoteid format on Alibaba Cloud
 set dhgrp 2
 set dpd on-idle                   # Enable Dead Peer Detection (DPD) to detect tunnel failures
 set keylife 86400                 # IKE SA lifetime: 86400 seconds (24 hours)
 set remote-gw 8.XX.XX.146         # IPsec address 1 of the VPN Gateway
 set psksecret 123456****          # Must match the pre-shared key on Alibaba Cloud
 next
end

# Tunnel 2 Phase 1
config vpn ipsec phase1-interface
 edit "to_ali_tun2"
 set interface "port1"             # WAN interface (public network egress)
 set ike-version 2
 set peertype any
 set net-device disable
 set proposal des-sha1
 set localid-type address          # Match the remoteid format on Alibaba Cloud
 set dhgrp 2
 set dpd on-idle                   # Enable DPD to detect tunnel failures
 set keylife 86400                 # IKE SA lifetime: 86400 seconds (24 hours)
 set remote-gw 8.XX.XX.74          # IPsec address 2 of the VPN Gateway
 set psksecret 123456****          # Must match the pre-shared key on Alibaba Cloud
 next
end

    3. Configure Phase 2 (IPsec) for both tunnels.

      # Tunnel 1 Phase 2
config vpn ipsec phase2-interface
    edit "to_ali_tun1"
        set phase1name "to_ali_tun1"    # Bind to Tunnel 1 Phase 1 interface
        set proposal des-sha1
        set dhgrp 2
        set auto-negotiate enable
        set keylifeseconds 86400
    next
end

# Tunnel 2 Phase 2
config vpn ipsec phase2-interface
    edit "to_ali_tun2"
        set phase1name "to_ali_tun2"    # Bind to Tunnel 2 Phase 1 interface
        set proposal des-sha1
        set dhgrp 2
        set auto-negotiate enable
        set keylifeseconds 86400
    next
end

    4. Configure firewall policies to allow traffic in both directions over each tunnel.

      # Define address objects
config firewall address
    edit "Local_192.168.0.0/16"
        set subnet 192.168.0.0 255.255.0.0
    next
    edit "Remote_10.0.0.0/16"
        set subnet 10.0.0.0 255.255.0.0
    next
end

# Firewall policies
config firewall policy
    edit 100
        set name "forti_to_alibabacloud1"   # Data center to VPC over Tunnel 1
        set srcintf "port2"
        set dstintf "to_ali_tun1"
        set action accept
        set srcaddr "Local_192.168.0.0/16"
        set dstaddr "Remote_10.0.0.0/16"
        set schedule "always"
        set service "ALL"
    next
    edit 101
        set name "aliyun_to_forti1"         # VPC to data center over Tunnel 1
        set srcintf "to_ali_tun1"
        set dstintf "port2"
        set action accept
        set srcaddr "Remote_10.0.0.0/16"
        set dstaddr "Local_192.168.0.0/16"
        set schedule "always"
        set service "ALL"
    next
    edit 102
        set name "forti_to_alibabacloud2"   # Data center to VPC over Tunnel 2
        set srcintf "port2"
        set dstintf "to_ali_tun2"
        set action accept
        set srcaddr "Local_192.168.0.0/16"
        set dstaddr "Remote_10.0.0.0/16"
        set schedule "always"
        set service "ALL"
    next
    edit 103
        set name "aliyun_to_forti2"         # VPC to data center over Tunnel 2
        set srcintf "to_ali_tun2"
        set dstintf "port2"
        set action accept
        set srcaddr "Remote_10.0.0.0/16"
        set dstaddr "Local_192.168.0.0/16"
        set schedule "always"
        set service "ALL"
    next
end

    5. Add static routes to the VPC. Assign a lower administrative distance to Tunnel 1 to make it the preferred path.

      On FortiOS 6.x, use set priority instead of set distance to configure route preference.
      config router static
    edit 100
        set dst 10.0.0.0 255.255.0.0
        set distance 1                    # Lower distance = higher priority (Tunnel 1 is active)
        set device "to_ali_tun1"
    next
    edit 101
        set dst 10.0.0.0 255.255.0.0
        set distance 10                   # Higher distance = standby (Tunnel 2 takes over if Tunnel 1 fails)
        set device "to_ali_tun2"
    next
end

    BGP dynamic routing

    Steps 1–4 are the same as static routing. Complete Phase 1, Phase 2, and firewall policy configuration first, then continue with the BGP-specific steps below.

    1. Open the FortiGate CLI.

    2. Configure Phase 1 (IKE) for both tunnels — same as static routing step 2.

    3. Configure Phase 2 (IPsec) for both tunnels — same as static routing step 3.

    4. Configure firewall policies — same as static routing step 4.

    5. Assign BGP IP addresses to the tunnel interfaces.

      config system interface
    edit "to_ali_tun1"
        set ip 169.254.10.2 255.255.255.255          # Local BGP IP for Tunnel 1
        set remote-ip 169.254.10.1 255.255.255.255   # Remote BGP IP for Tunnel 1 (VPN Gateway)
    next
    edit "to_ali_tun2"
        set ip 169.254.20.2 255.255.255.255          # Local BGP IP for Tunnel 2
        set remote-ip 169.254.20.1 255.255.255.255   # Remote BGP IP for Tunnel 2 (VPN Gateway)
    next
end

    6. Configure BGP and advertise the data center CIDR block to Alibaba Cloud.

      config router bgp
    set as 65500
    set router-id 122.XX.XX.248
    config neighbor
        edit "169.254.10.1"                       # BGP peer for Tunnel 1 (VPN Gateway)
            set remote-as 65535
        next
        edit "169.254.20.1"                       # BGP peer for Tunnel 2 (VPN Gateway)
            set remote-as 65535
        next
    end
    config network
        edit 100
            set prefix 192.168.0.0 255.255.0.0    # Advertise the data center CIDR block to the VPC
        next
    end
    config redistribute connected                 # Redistribute directly connected routes to BGP
        set status enable
    end
end

    Verify the connection

    After completing the configuration, verify connectivity in layers — from IKE negotiation down to application traffic.

    Step 1: Check IKE negotiation

    Run the following commands on the FortiGate CLI:

    diagnose vpn ike gateway list
diagnose vpn tunnel list

    Both tunnels should show status up. If a tunnel is down, see Troubleshooting.

    Step 2: Test network connectivity

    Ping the ECS instance from your data center server:

    ping 10.0.10.247

    Replace 10.0.10.247 with the actual IP address of your ECS instance. Also ping 192.168.10.211 from the ECS instance to confirm bidirectional connectivity.

    Step 3: Verify application traffic

    Confirm that services running across the VPN work as expected. Test the specific ports and protocols your applications use.

    For dual-tunnel mode, also verify Tunnel 2: take Tunnel 1 offline temporarily and confirm that traffic fails over to Tunnel 2 without manual intervention.

    Troubleshooting

    Use this decision tree to systematically narrow down connection issues.

    IKE negotiation

    Run diagnose vpn ike gateway list.

    No IKE security association appears:

    • Confirm the pre-shared key matches on both sides.

    • Confirm the IKE version, encryption algorithm, authentication algorithm, and DH group are identical on both sides.

    • Confirm UDP ports 500 and 4500 are allowed through all firewalls in the path.

    • On FortiOS 7.2 and later, check that a local-in policy allows UDP 500 and 4500 on port1.

    IPsec security association

    Run diagnose vpn tunnel list.

    No IPsec security association appears after IKE succeeds:

    • Confirm the Phase 2 encryption algorithm, authentication algorithm, DH group, and SA lifetime match on both sides.

    • Confirm set auto-negotiate enable is set.

    Tunnel IP reachability (BGP only)

    Ping the remote BGP IP from the FortiGate (for example, ping 169.254.10.1).

    Ping fails:

    • Confirm the set ip and set remote-ip values on the tunnel interfaces are correct and match the BGP configuration on Alibaba Cloud.

    BGP session (BGP only)

    Run get router info bgp summary.

    BGP session is not Established:

    • Confirm ASN values match: FortiGate uses 65500, Alibaba Cloud VPN Gateway uses 65535.

    • Confirm the BGP peer IP addresses are correct.

    • Confirm the data center CIDR block (192.168.0.0/16) is included in the BGP network configuration.

    Appendix: Single-tunnel mode configuration

    Single-tunnel mode provides basic VPN connectivity without automatic failover. Use it only for non-production environments or when high availability is not required.

    Important

    If the tunnel fails in single-tunnel mode, connectivity is lost until the tunnel is restored. For production environments, use the dual-tunnel configuration described above.

    Network planning

    The network topology is the same as dual-tunnel mode. Only one tunnel connects to the VPN Gateway.

    Resource CIDR block IP addresses
    Data center 192.168.0.0/16 Server: 192.168.10.211
    FortiGate firewall 192.168.0.0/16 WAN (port1): 122.XX.XX.248 (public); LAN (port2): 192.168.10.221/24 (private)
    VPC Primary: 10.0.0.0/16; vSwitch 1: 10.0.10.0/24; vSwitch 2: 10.0.20.0/24 ECS: 10.0.10.247
    VPN Gateway N/A IPsec address: 8.XX.XX.146

    Prerequisites

    Before you begin, ensure that you have completed the Alibaba Cloud configuration. Follow Connect a VPC to a data center in single-tunnel mode to create a VPN Gateway, a customer gateway, an IPsec-VPN connection (single tunnel), and routing for the VPN Gateway.

    Configuration parameters

    Parameter

    Sample value on Alibaba Cloud

    Sample value on the FortiGate firewall

    Pre-shared key

    123456****

    123456****

    IKE configurations

    IKE version

    ikev2

    ikev2

    Encryption algorithm

    des

    des

    Authentication algorithm

    sha1

    sha1

    DH group

    group2

    group2

    SA lifetime

    86400 seconds

    86400 seconds

    IPsec configurations

    Encryption algorithm

    des

    des

    Authentication algorithm

    sha1

    sha1

    DH group

    group2

    group2

    SA lifetime

    86400 seconds

    86400 seconds

    Configure the FortiGate firewall

    1. Open the FortiGate CLI.

    2. Configure Phase 1 (IKE).

      config vpn ipsec phase1-interface
    edit "to_ali_tun1"
        set interface "port1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal des-sha1
        set dpd on-idle
        set dhgrp 2
        set keylife 86400
        set remote-gw 8.XX.XX.146           # Public IP address of the VPN Gateway
        set psksecret 123456****            # Must match the pre-shared key on Alibaba Cloud
    next
end

    3. Configure Phase 2 (IPsec).

      config vpn ipsec phase2-interface
    edit "to_ali_tun1"
        set phase1name "to_ali_tun1"    # Bind to the Phase 1 interface
        set proposal des-sha1
        set dhgrp 2
        set keylifeseconds 86400
        set auto-negotiate enable
    next
end

    4. Configure firewall policies.

      # Define address objects
config firewall address
    edit "Local_192.168.0.0/16"
        set subnet 192.168.0.0 255.255.0.0
    next
    edit "Remote_10.0.0.0/16"
        set subnet 10.0.0.0 255.255.0.0
    next
end

# Firewall policies
config firewall policy
    edit 100
        set name "forti_to_alibabacloud1"
        set srcintf "port2"
        set dstintf "to_ali_tun1"           # Data center to VPC
        set action accept
        set srcaddr "Local_192.168.0.0/16"
        set dstaddr "Remote_10.0.0.0/16"
        set schedule "always"
        set service "ALL"
    next
    edit 101
        set srcintf "to_ali_tun1"            # VPC to data center
        set dstintf "port2"
        set action accept
        set srcaddr "Remote_10.0.0.0/16"
        set dstaddr "Local_192.168.0.0/16"
        set schedule "always"
        set service "ALL"
    next
end

    5. Add a static route to the VPC.

      Single-tunnel mode requires only one static route. No distance parameter is needed because there is no backup route.
      config router static
    edit 100
        set dst 10.0.0.0 255.255.0.0
        set device "to_ali_tun1"
    next
end