To use IPsec-VPN to connect a data center to an Alibaba Cloud virtual private cloud (VPC), you must configure a VPN gateway on Alibaba Cloud and add VPN configurations to the gateway device in the data center. This topic describes how to add VPN configurations to a FortiGate firewall.
Scenario
In this example, a company has deployed a VPC on Alibaba Cloud. The CIDR block of the VPC is 10.0.0.0/16. Applications are deployed on an Elastic Compute Service (ECS) instance in the VPC. The company has a data center that needs to use the CIDR block 192.168.0.0/16 to communicate with the VPC. The company wants to establish an IPsec-VPN connection between the data center and the VPC on the cloud to implement mutual resource access.
In this scenario, a FortiGate firewall in the data center establishes an IPsec-VPN connection to Alibaba Cloud in dual-tunnel mode by using a public IP address. If you want to establish an IPsec-VPN connection in single-tunnel mode, see the Configure a FortiGate firewall to use a single tunnel section in this topic.
CIDR block plan and sample VPN configurations
CIDR block plan
Resource | CIDR block | IP address |
Data center | CIDR block that needs to communicate with the VPC: 192.168.0.0/16 | Server IP address: 192.168.10.211 |
FortiGate firewall | CIDR block of interfaces: 192.168.0.0/16 |
|
VPC | Primary CIDR block: 10.0.0.0/16 vSwitch 1: 10.0.10.0/24 vSwitch 2: 10.0.20.0/24 | ECS IP address: 10.0.10.247 |
Public VPN gateway | N/A |
Note After you create a VPN gateway, the system automatically assigns IP addresses to the VPN gateway. |
CIDR block plan for BGP dynamic routing
In addition to static routing, this topic also describes how to configure a FortiGate firewall to establish an IPsec-VPN connection that uses Border Gateway Protocol (BGP) dynamic routing. If you do not need to use BGP dynamic routing, skip this section. The following table describes the CIDR block plan for BGP dynamic routing.
Resource | Tunnel | BGP tunnel CIDR block | BGP IP address | BGP local ASN |
VPN gateway | Tunnel 1 | 169.254.10.0/30 Note On a VPN gateway, the CIDR block of each tunnel must be unique. | 169.254.10.1 | 65535 |
Tunnel 2 | 169.254.20.0/30 | 169.254.20.1 | ||
FortiGate firewall | Tunnel 1 | 169.254.10.0/30 | 169.254.10.2 | 65500 |
Tunnel 2 | 169.254.20.0/30 | 169.254.20.2 |
Sample VPN configurations
In this example, Tunnel 1 is the active tunnel and Tunnel 2 is the standby tunnel. The two tunnels use the same sample values.
The VPN configurations on Alibaba Cloud and the FortiGate firewall must be the same for each tunnel.
Parameter | Sample value on Alibaba Cloud | Sample value on the FortiGate firewall | |
Pre-shared key | 123456**** | 123456**** | |
Internet Key Exchange (IKE) configurations | IKE version | ikev2 | ikev2 |
Negotiation mode | main | main | |
Encryption algorithm | des | des Note The software version used by the FortiGate firewall in this scenario does not support the Advanced Encryption Standard (AES) algorithm. Therefore, the Data Encryption Standard (DES) algorithm is used in this example. We recommend that you use the AES algorithm. | |
Authentication algorithm | sha1 | sha1 | |
Diffie-Hellman (DH) group | group2 | group2 | |
Security association (SA) lifecycle (seconds) | 86400 | 86400 | |
IPsec configurations | Encryption algorithm | des | des Note The software version used by the FortiGate firewall in this scenario does not support the AES algorithm. Therefore, the DES algorithm is used in this example. We recommend that you use the AES algorithm. |
Authentication algorithm | sha1 | sha1 | |
DH group | group2 | group2 | |
SA lifecycle (seconds) | 86400 | 86400 | |
Prerequisites
This topic describes only how to add VPN configurations to a FortiGate firewall. The procedure for configuring a VPN gateway on Alibaba Cloud is omitted. Before you configure the FortiGate firewall, make sure that you have completed the following tasks: create a VPN gateway, create a customer gateway, create an IPsec-VPN connection, and configure routing for the VPN gateway.
For more information about how to establish an IPsec-VPN connection that uses static routing, see Connect a VPC to a data center in dual-tunnel mode.
For more information about how to establish an IPsec-VPN connection that uses BGP dynamic routing, see Connect a VPC to a data center in dual-tunnel and BGP routing mode.
In this scenario, the FortiGate firewall in the data center establishes an IPsec-VPN connection in dual-tunnel mode to Alibaba Cloud by using a public IP address. Therefore, you need to create only one customer gateway. When you create an IPsec-VPN connection, you can associate the two tunnels with the same customer gateway.
Procedure
In this example, FortiOS V6.2.4 is used to describe how to configure a FortiGate firewall. The following content is for reference only. For more information about specific commands, see the manuals provided by the manufacturer.
Static routing
Go to the CLI of the FortiGate firewall.
Add Phase 1 IPsec-VPN configurations, which are also called IKE configurations, to the FortiGate firewall.
# Add Phase 1 IPsec-VPN configurations for Tunnel 1. config vpn ipsec phase1-interface edit "to_aliyun_test1" set interface "port1" # Set the interface to port1, which is the public network egress. set ike-version 2 set peertype any set net-device disable set proposal des-sha1 set localid-type address # Set the format of localid to IP address, which is the same as that of remoteid of Tunnel 1 on Alibaba Cloud. set dhgrp 2 set remote-gw 8.XX.XX.146 # Set the remote address of Tunnel 1 to IPsec address 1 of the VPN gateway. set psksecret 123456**** # Specify the pre-shared key for Tunnel 1. The pre-shared key on Alibaba Cloud must be the same as that on the FortiGate firewall. next end # Add Phase 2 IPsec-VPN configurations for Tunnel 2. config vpn ipsec phase1-interface edit "to_aliyun_test2" set interface "port1" # Set the interface to port1, which is the public network egress. set ike-version 2 set peertype any set net-device disable set proposal des-sha1 set localid-type address # Set the format of localid to IP address, which is the same as that of remoteid of Tunnel 2 on Alibaba Cloud. set dhgrp 2 set remote-gw 8.XX.XX.74 # Set the remote address of Tunnel 2 to IPsec address 2 of the VPN gateway. set psksecret 123456**** # Specify the pre-shared key for Tunnel 2. The pre-shared key on Alibaba Cloud must be the same as that on the FortiGate firewall. next endAdd Phase 2 IPsec-VPN configurations, which are also called IPsec configurations, to the FortiGate firewall.
# Add Phase 2 IPsec-VPN configurations for Tunnel 1. config vpn ipsec phase2-interface edit "to_aliyun_test1" set phase1name "to_aliyun_test1" # Associate the interface with phase1-interface of Tunnel 1. set proposal des-sha1 set dhgrp 2 set auto-negotiate enable set keylifeseconds 86400 next end # Add Phase 2 IPsec-VPN configurations for Tunnel 2. config vpn ipsec phase2-interface edit "to_aliyun_test2" set phase1name "to_aliyun_test2" # Associate the interface with phase1-interface of Tunnel 2. set proposal des-sha1 set dhgrp 2 set auto-negotiate enable set keylifeseconds 86400 next endConfigure firewall policies.
config firewall policy edit 1 set name "forti_to_aliyun1" # Specify the traffic that is allowed from the FortiGate firewall to Alibaba Cloud over Tunnel 1. set srcintf "port4" set dstintf "to_aliyun_test1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set name "aliyun_to_forti1" # Specify the traffic that is allowed from Alibaba Cloud to the FortiGate firewall over Tunnel 1. set srcintf "to_aliyun_test1" set dstintf "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 3 set name "forti_to_aliyun2" # Specify the traffic that is allowed from the FortiGate firewall to Alibaba Cloud over Tunnel 2. set srcintf "port4" set dstintf "to_aliyun_test2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 4 set name "aliyun_to_forti2" # Specify the traffic that is allowed from Alibaba Cloud to the FortiGate firewall over Tunnel 2. set srcintf "to_aliyun_test2" set dstintf "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next endConfigure static routes to the VPC.
config router static edit 1 set dst 10.0.0.0 255.255.0.0 set priority 0 set device "to_aliyun_test1" next edit 2 set dst 10.0.0.0 255.255.0.0 set priority 10 # Decrease the priority of the route pointing to Tunnel 2. This way, traffic is preferentially transmitted over Tunnel 1. set device "to_aliyun_test2" next end
BGP dynamic routing
Go to the CLI of the FortiGate firewall.
Add Phase 1 IPsec-VPN configurations, which are also called IKE configurations, to the FortiGate firewall.
# Add Phase 1 IPsec-VPN configurations for Tunnel 1. config vpn ipsec phase1-interface edit "to_aliyun_test1" set interface "port1" # Set the interface to port1, which is the public network egress. set ike-version 2 set peertype any set net-device disable set proposal des-sha1 set localid-type address # Set the format of localid to IP address, which is the same as that of remoteid of Tunnel 1 on Alibaba Cloud. set dhgrp 2 set remote-gw 8.XX.XX.146 # Set the remote address of Tunnel 1 to IPsec address 1 of the VPN gateway. set psksecret 123456**** # Specify the pre-shared key for Tunnel 1. The pre-shared key on Alibaba Cloud must be the same as that on the FortiGate firewall. next end # Add Phase 2 IPsec-VPN configurations for Tunnel 2. config vpn ipsec phase1-interface edit "to_aliyun_test2" set interface "port1" # Set the interface to port1, which is the public network egress. set ike-version 2 set peertype any set net-device disable set proposal des-sha1 set localid-type address # Set the format of localid to IP address, which is the same as that of remoteid of Tunnel 2 on Alibaba Cloud. set dhgrp 2 set remote-gw 8.XX.XX.74 # Set the remote address of Tunnel 2 to IPsec address 2 of the VPN gateway. set psksecret 123456**** # Specify the pre-shared key for Tunnel 2. The pre-shared key on Alibaba Cloud must be the same as that on the FortiGate firewall. next endAdd Phase 2 IPsec-VPN configurations, which are also called IPsec configurations, to the FortiGate firewall.
# Add Phase 2 IPsec-VPN configurations for Tunnel 1. config vpn ipsec phase2-interface edit "to_aliyun_test1" set phase1name "to_aliyun_test1" # Associate the interface with phase1-interface of Tunnel 1. set proposal des-sha1 set dhgrp 2 set auto-negotiate enable set keylifeseconds 86400 next end # Add Phase 2 IPsec-VPN configurations for Tunnel 2. config vpn ipsec phase2-interface edit "to_aliyun_test2" set phase1name "to_aliyun_test2" # Associate the interface with phase1-interface of Tunnel 2. set proposal des-sha1 set dhgrp 2 set auto-negotiate enable set keylifeseconds 86400 next endConfigure firewall policies.
config firewall policy edit 1 set name "forti_to_aliyun1" # Specify the traffic that is allowed from the FortiGate firewall to Alibaba Cloud over Tunnel 1. set srcintf "port4" set dstintf "to_aliyun_test1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set name "aliyun_to_forti1" # Specify the traffic that is allowed from Alibaba Cloud to the FortiGate firewall over Tunnel 1. set srcintf "to_aliyun_test1" set dstintf "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 3 set name "forti_to_aliyun2" # Specify the traffic that is allowed from the FortiGate firewall to Alibaba Cloud over Tunnel 2. set srcintf "port4" set dstintf "to_aliyun_test2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 4 set name "aliyun_to_forti2" # Specify the traffic that is allowed from Alibaba Cloud to the FortiGate firewall over Tunnel 2. set srcintf "to_aliyun_test2" set dstintf "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next endConfigure BGP IP addresses for tunnel interfaces.
config system interface edit "to_aliyun_test1" set ip 169.254.10.2 255.255.255.255 # Configure a BGP IP address for the interface of Tunnel 1. set remote-ip 169.254.10.1 255.255.255.255 # Configure a remote BGP IP address for Tunnel 1. next edit "to_aliyun_test2" set ip 169.254.20.2 255.255.255.255 # Configure a BGP IP address for the interface of Tunnel 2. set remote-ip 169.254.20.1 255.255.255.255 # Configure a remote BGP IP address for Tunnel 2. next endConfigure BGP dynamic routing.
config router bgp set as 65500 set router-id 122.XX.XX.248 config neighbor edit "169.254.10.1" # Specify the BGP peer for Tunnel 1. set remote-as 65535 edit "169.254.20.1" set remote-as 65535 # Specify the BGP peer for Tunnel 2. next end config network edit 1 set prefix 192.168.0.0 255.255.0.0 # Specify the CIDR block in the data center that needs to communicate with the VPC. next end config redistribute "connected" # Redistribute the route of the directly-connected interface to BGP. set status enable end end
Configure a FortiGate firewall to use a single tunnel
Scenario
In this example, a company has deployed a VPC on Alibaba Cloud. The CIDR block of the VPC is 192.168.10.0/24. Applications are deployed on an ECS instance in the VPC. The company also has a data center, whose CIDR block 192.168.66.0/24 wants to communicate with the VPC. The company wants to establish an IPsec-VPN connection between the data center and the VPC on the cloud to implement mutual resource access.
CIDR block plan and sample VPN configurations
CIDR block plan
Resource | Example | |
VPC | Private CIDR block that needs to communicate with the data center | 192.168.10.0/24 |
Public VPN gateway | Public IP address of the VPN gateway | 101.XX.XX.127 |
Data center | Private CIDR block that needs to communicate with the VPC | 192.168.66.0/24 |
Public IP address of the FortiGate firewall | 122.XX.XX.248 | |
Physical interface that connects to the Internet on the FortiGate firewall | WAN, which is configured with the public IP address 122.XX.XX.248 | |
Physical interface that connects to the data center on the FortiGate firewall | LAN, which is configured with the private IP address 192.168.66.125/24 | |
Sample VPN configurations
Parameter | Sample value on Alibaba Cloud | Sample value on the FortiGate firewall | |
Pre-shared key | ff123TT**** | ff123TT**** | |
IKE configurations | IKE version | ikev1 | ikev1 |
Negotiation mode | main | main | |
Encryption algorithm | aes | aes | |
Authentication algorithm | sha1 | sha1 | |
DH group | group2 | group2 | |
SA lifecycle (seconds) | 86400 | 86400 | |
IPsec configurations | Encryption algorithm | aes | aes |
Authentication algorithm | sha1 | sha1 | |
DH group | group2 | group2 | |
SA lifecycle (seconds) | 86400 | 86400 | |
Prerequisites
This topic describes only how to add VPN configurations to a FortiGate firewall. The procedure for configuring a VPN gateway on Alibaba Cloud is omitted. In this example. static routing is used. Before you configure the FortiGate firewall, make sure that you have completed the following tasks: create a VPN gateway, create a customer gateway, create an IPsec-VPN connection, and configure routing for the VPN gateway. For more information, see Connect a VPC to a data center in single-tunnel mode.
Procedure
In this example, FortiOS V7.0 is used to describe how to configure a FortiGate firewall. The following content is for reference only. For more information about specific commands, see the manuals provided by the manufacturer.
Go to the CLI of the FortiGate firewall.
Add Phase 1 IPsec-VPN configurations, which are also called IKE configurations, to the FortiGate firewall.
config vpn ipsec phase1-interface edit "to_AliCloud" set interface "wan" set peertype any set net-device disable set proposal aes128-sha1 set dpd on-idle set dhgrp 2 set keylife 86400 set remote-gw 101.XX.XX.127 # Set the remote address of the tunnel to the public IP address of the VPN gateway. set psksecret ff123TT**** # Specify the pre-shared key for the tunnel. The pre-shared key on Alibaba Cloud must be the same as that on the FortiGate firewall. next endAdd Phase 2 IPsec-VPN configurations, which are also called IPsec configurations, to the FortiGate firewall.
config vpn ipsec phase2-interface
edit "to_AliCloud"
set phase1name "to_AliCloud" # Associate the interface with phase1-interface of the tunnel.
set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 86400
set auto-negotiate enable
next
endConfigure firewall policies.
config firewall address # Define CIDR blocks. edit "Local_192.168.66.0/24" set subnet 192.168.66.0 255.255.255.0 next edit "Remote_192.168.10.0/24" set subnet 192.168.10.0 255.255.255.0 next edit "AliCloud_VPN_Gateway" set subnet 101.XX.XX.127 255.255.255.255 next end config firewall policy edit 4 set srcintf "lan" set dstintf "to_AliCloud" # Specify the traffic that is allowed from the FortiGate firewall to Alibaba Cloud over the tunnel. set action accept set srcaddr "Local_192.168.66.0/24" set dstaddr "Remote_192.168.10.0/24" set schedule "always" set service "ALL" next edit 5 set srcintf "to_AliCloud" # Specify the traffic that is allowed from Alibaba Cloud to the FortiGate firewall over the tunnel. set dstintf "lan" set action accept set srcaddr "Remote_192.168.10.0/24" set dstaddr "Local_192.168.66.0/24" set schedule "always" set service "ALL" next endConfigure static routes to the VPC.
config router static edit 3 set dst 192.168.10.0 255.255.255.0 set device "to_AliCloud" next edit 4 set dst 192.168.10.0 255.255.255.0 set distance 254 set blackhole enable next endConfigure a local-in policy for the FortiGate firewall.
ImportantAfter you configure the local-in policy, IKE negotiation packets from Alibaba Cloud are dropped if no IKE session is established. Make sure that a local-in policy is configured. Otherwise, connections may not be reinitiated after IPsec-VPN connections are interrupted.
config firewall local-in-policy edit 1 set intf "wan" set srcaddr "AliCloud_VPN_Gateway" set dstaddr "all" set service "IKE" set schedule "always" set action deny next end