This topic describes how to configure a FortiGate firewall to establish an IPsec-VPN connection with Alibaba Cloud VPN Gateway. The configuration supports both static routing and BGP dynamic routing, with dual-tunnel mode for high availability.
Scenario
In this example, a company has deployed a VPC on Alibaba Cloud. The CIDR block of the VPC is 10.0.0.0/16. Applications are deployed on an Elastic Compute Service (ECS) instance in the VPC. The company has a data center that needs to use the CIDR block 192.168.0.0/16 to communicate with the VPC. The company wants to establish an IPsec-VPN connection between the data center and the VPC on the cloud to implement mutual resource access.
In this scenario, a FortiGate firewall in the data center establishes an IPsec-VPN connection to Alibaba Cloud in dual-tunnel mode by using a public IP address. If you want to establish an IPsec-VPN connection in single-tunnel mode, see the Appendix: Single-tunnel mode configuration section in this topic.
Before you begin
Review the following information before configuring your FortiGate firewall:
Configuration mode: This topic covers dual-tunnel mode (primary and standby tunnels for high availability). For single-tunnel mode configuration, see Single-tunnel mode configuration.
Routing protocol: You can choose between:
Static routing - Simpler configuration, suitable for stable network topologies
BGP dynamic routing - Automatic route updates, better for complex or changing networks
Both configurations are provided in this topic.
FortiOS version: This configuration example is tested on FortiOS 7.4.4. If you are using FortiOS 6.x or other versions, you may need to adjust the commands according to your specific version. Refer to your FortiOS documentation for version-specific syntax.
Estimated time: 30-45 minutes (including verification)
Recommended: Use dual-tunnel mode with BGP dynamic routing for production environments requiring high availability.
Network planning
Plan your network before configuration to avoid conflicts and connectivity issues.
CIDR block plan
Resource | CIDR block | IP address |
Data center | CIDR block that needs to communicate with the VPC: 192.168.0.0/16 | Server IP address: 192.168.10.211 |
FortiGate firewall | CIDR block of interfaces: 192.168.0.0/16 |
|
VPC | Primary CIDR block: 10.0.0.0/16 vSwitch 1: 10.0.10.0/24 vSwitch 2: 10.0.20.0/24 | ECS IP address: 10.0.10.247 |
Public VPN gateway | N/A |
After you create a VPN gateway, the system automatically assigns IP addresses to the VPN gateway. |
BGP configuration (optional)
For networks requiring dynamic routing, you can configure BGP instead of static routes. BGP automatically propagates route updates between your FortiGate firewall and Alibaba Cloud VPN Gateway, which is beneficial for complex or frequently changing network topologies. If you're using static routing, you can skip this section. The following table describes the additional parameters required for BGP configuration.
Resource | Tunnel | BGP tunnel CIDR block | BGP IP address | BGP local ASN |
VPN gateway | Tunnel 1 | 169.254.10.0/30 On a VPN gateway, the CIDR block of each tunnel must be unique. | 169.254.10.1 | 65535 |
Tunnel 2 | 169.254.20.0/30 | 169.254.20.1 | ||
FortiGate firewall | Tunnel 1 | 169.254.10.0/30 | 169.254.10.2 | 65500 |
Tunnel 2 | 169.254.20.0/30 | 169.254.20.2 |
Sample VPN configurations
In this example, Tunnel 1 is the active tunnel and Tunnel 2 is the standby tunnel. The two tunnels use the same sample values.
The VPN configurations on Alibaba Cloud and the FortiGate firewall must be the same for each tunnel.
Parameter | Sample value on Alibaba Cloud | Sample value on the FortiGate firewall | |
Pre-shared key | 123456**** | 123456**** | |
Internet Key Exchange (IKE) configurations | IKE version | ikev2 | ikev2 |
Encryption algorithm | des | des | |
Authentication algorithm | sha1 | sha1 | |
Diffie-Hellman (DH) group | group2 | group2 | |
Security association (SA) lifecycle (seconds) | 86400 | 86400 | |
IPsec configurations | Encryption algorithm | des | des |
Authentication algorithm | sha1 | sha1 | |
DH group | group2 | group2 | |
SA lifecycle (seconds) | 86400 | 86400 | |
Security considerations:
Encryption algorithm: This example uses DES and SHA1 for compatibility with FortiGate devices that have license restrictions. Note that DES is considered a legacy encryption algorithm. For production environments with full licenses, it is strongly recommended to upgrade to AES-128 or AES-256 for better security.
Pre-shared key: The example value 123456**** is for demonstration only. In production environments, generate a strong, random pre-shared key with at least 20 characters, including uppercase letters, lowercase letters, numbers, and special characters. Store the key securely and never commit it to version control.
Perfect Forward Secrecy (PFS): This configuration uses group2 for PFS. For enhanced security, consider using group14 (2048-bit Diffie-Hellman) or higher, especially for sensitive data transmission.
Prerequisites
This topic describes only how to add VPN configurations to a FortiGate firewall. The procedure for configuring a VPN gateway on Alibaba Cloud is omitted. Before you configure the FortiGate firewall, make sure that you have completed the following tasks: create a VPN gateway, create a customer gateway, create an IPsec-VPN connection, and configure routing for the VPN gateway.
For more information about how to establish an IPsec-VPN connection that uses static routing, see Connect a VPC to a data center in dual-tunnel mode.
For more information about how to establish an IPsec-VPN connection that uses BGP dynamic routing, see Connect a VPC to a data center in dual-tunnel mode with BGP.
In this scenario, the FortiGate firewall in the data center establishes an IPsec-VPN connection in dual-tunnel mode to Alibaba Cloud by using a public IP address. Therefore, you need to create only one customer gateway. When you create an IPsec-VPN connection, you can associate the two tunnels with the same customer gateway.
Procedure
This configuration example is verified on FortiOS V7.4.4. If you are using a different FortiOS version, some commands or options may vary. Consult the FortiOS documentation for your specific version to adjust the configuration accordingly.
Configuration number conflict warning:
The edit <number> command used in this configuration (for IPsec interfaces, firewall policies, static routes, etc.) will overwrite any existing configuration with the same number on your FortiGate device. This may disrupt your current network configuration.
Before proceeding:
Check existing configurations using commands such as:
show vpn ipsec phase1-interface
show firewall policy
show router static
Use unused configuration numbers, or select higher numbers (e.g., 100, 101, 102) to avoid conflicts with existing configurations.
Static routing
Go to the CLI of the FortiGate firewall.
Add Phase 1 IPsec-VPN configurations, which are also called IKE configurations, to the FortiGate firewall.
# Add Phase 1 IPsec-VPN configurations for Tunnel 1. config vpn ipsec phase1-interface edit "to_ali_tun1" set interface "port1" # Set the interface to port1, which is the public network egress. set ike-version 2 set peertype any set net-device disable set proposal des-sha1 set localid-type address # Set the format of localid to IP address, which is the same as that of remoteid of Tunnel 1 on Alibaba Cloud. set dhgrp 2 set dpd on-idle # Enable Dead Peer Detection to detect tunnel failures. set keylife 86400 # Set IKE SA lifetime to 86400 seconds (24 hours). set remote-gw 8.XX.XX.146 # Set the remote address of Tunnel 1 to IPsec address 1 of the VPN gateway. set psksecret 123456**** # Specify the pre-shared key for Tunnel 1. The pre-shared key on Alibaba Cloud must be the same as that on the FortiGate firewall. next end # Add Phase 1 IPsec-VPN configurations for Tunnel 2. config vpn ipsec phase1-interface edit "to_ali_tun2" set interface "port1" # Set the interface to port1, which is the public network egress. set ike-version 2 set peertype any set net-device disable set proposal des-sha1 set localid-type address # Set the format of localid to IP address, which is the same as that of remoteid of Tunnel 2 on Alibaba Cloud. set dhgrp 2 set dpd on-idle # Enable Dead Peer Detection to detect tunnel failures. set keylife 86400 # Set IKE SA lifetime to 86400 seconds (24 hours). set remote-gw 8.XX.XX.74 # Set the remote address of Tunnel 2 to IPsec address 2 of the VPN gateway. set psksecret 123456**** # Specify the pre-shared key for Tunnel 2. The pre-shared key on Alibaba Cloud must be the same as that on the FortiGate firewall. next endAdd Phase 2 IPsec-VPN configurations, which are also called IPsec configurations, to the FortiGate firewall.
# Add Phase 2 IPsec-VPN configurations for Tunnel 1. config vpn ipsec phase2-interface edit "to_ali_tun1" set phase1name "to_ali_tun1" # Associate the interface with phase1-interface of Tunnel 1. set proposal des-sha1 set dhgrp 2 set auto-negotiate enable set keylifeseconds 86400 next end # Add Phase 2 IPsec-VPN configurations for Tunnel 2. config vpn ipsec phase2-interface edit "to_ali_tun2" set phase1name "to_ali_tun2" # Associate the interface with phase1-interface of Tunnel 2. set proposal des-sha1 set dhgrp 2 set auto-negotiate enable set keylifeseconds 86400 next endConfigure firewall policies.
config firewall address # Define CIDR blocks. edit "Local_192.168.0.0/16" set subnet 192.168.0.0 255.255.0.0 next edit "Remote_10.0.0.0/16" set subnet 10.0.0.0 255.255.0.0 next end config firewall policy edit 100 set name "forti_to_alibabacloud1" # Specify the traffic that is allowed from the FortiGate firewall to Alibaba Cloud over Tunnel 1. set srcintf "port2" set dstintf "to_ali_tun1" set action accept set srcaddr "Local_192.168.0.0/16" set dstaddr "Remote_10.0.0.0/16" set schedule "always" set service "ALL" next edit 101 set name "aliyun_to_forti1" # Specify the traffic that is allowed from Alibaba Cloud to the FortiGate firewall over Tunnel 1. set srcintf "to_ali_tun1" set dstintf "port2" set action accept set srcaddr "Remote_10.0.0.0/16" set dstaddr "Local_192.168.0.0/16" set schedule "always" set service "ALL" next edit 102 set name "forti_to_alibabacloud2" # Specify the traffic that is allowed from the FortiGate firewall to Alibaba Cloud over Tunnel 2. set srcintf "port2" set dstintf "to_ali_tun2" set action accept set srcaddr "Local_192.168.0.0/16" set dstaddr "Remote_10.0.0.0/16" set schedule "always" set service "ALL" next edit 103 set name "aliyun_to_forti2" # Specify the traffic that is allowed from Alibaba Cloud to the FortiGate firewall over Tunnel 2. set srcintf "to_ali_tun2" set dstintf "port2" set action accept set srcaddr "Remote_10.0.0.0/16" set dstaddr "Local_192.168.0.0/16" set schedule "always" set service "ALL" next endConfigure static routes to the VPC.
config router static edit 100 set dst 10.0.0.0 255.255.0.0 set distance 1 # Set administrative distance. Lower values have higher priority. set device "to_ali_tun1" next edit 101 set dst 10.0.0.0 255.255.0.0 set distance 10 # Set higher distance for Tunnel 2, making Tunnel 1 the preferred path. set device "to_ali_tun2" next endFor earlier FortiOS versions (such as 6.x), use set priority instead of set distance to configure route preference.
BGP dynamic routing
Go to the CLI of the FortiGate firewall.
Add Phase 1 IPsec-VPN configurations, which are also called IKE configurations, to the FortiGate firewall.
# Add Phase 1 IPsec-VPN configurations for Tunnel 1. config vpn ipsec phase1-interface edit "to_ali_tun1" set interface "port1" # Set the interface to port1, which is the public network egress. set ike-version 2 set peertype any set net-device disable set proposal des-sha1 set localid-type address # Set the format of localid to IP address, which is the same as that of remoteid of Tunnel 1 on Alibaba Cloud. set dhgrp 2 set dpd on-idle # Enable Dead Peer Detection to detect tunnel failures. set keylife 86400 # Set IKE SA lifetime to 86400 seconds (24 hours). set remote-gw 8.XX.XX.146 # Set the remote address of Tunnel 1 to IPsec address 1 of the VPN gateway. set psksecret 123456**** # Specify the pre-shared key for Tunnel 1. The pre-shared key on Alibaba Cloud must be the same as that on the FortiGate firewall. next end # Add Phase 1 IPsec-VPN configurations for Tunnel 2. config vpn ipsec phase1-interface edit "to_ali_tun2" set interface "port1" # Set the interface to port1, which is the public network egress. set ike-version 2 set peertype any set net-device disable set proposal des-sha1 set localid-type address # Set the format of localid to IP address, which is the same as that of remoteid of Tunnel 2 on Alibaba Cloud. set dhgrp 2 set dpd on-idle # Enable Dead Peer Detection to detect tunnel failures. set keylife 86400 # Set IKE SA lifetime to 86400 seconds (24 hours). set remote-gw 8.XX.XX.74 # Set the remote address of Tunnel 2 to IPsec address 2 of the VPN gateway. set psksecret 123456**** # Specify the pre-shared key for Tunnel 2. The pre-shared key on Alibaba Cloud must be the same as that on the FortiGate firewall. next endAdd Phase 2 IPsec-VPN configurations, which are also called IPsec configurations, to the FortiGate firewall.
# Add Phase 2 IPsec-VPN configurations for Tunnel 1. config vpn ipsec phase2-interface edit "to_ali_tun1" set phase1name "to_ali_tun1" # Associate the interface with phase1-interface of Tunnel 1. set proposal des-sha1 set dhgrp 2 set auto-negotiate enable set keylifeseconds 86400 next end # Add Phase 2 IPsec-VPN configurations for Tunnel 2. config vpn ipsec phase2-interface edit "to_ali_tun2" set phase1name "to_ali_tun2" # Associate the interface with phase1-interface of Tunnel 2. set proposal des-sha1 set dhgrp 2 set auto-negotiate enable set keylifeseconds 86400 next endConfigure firewall policies.
config firewall address # Define CIDR blocks. edit "Local_192.168.0.0/16" set subnet 192.168.0.0 255.255.0.0 next edit "Remote_10.0.0.0/16" set subnet 10.0.0.0 255.255.0.0 next end config firewall policy edit 100 set name "forti_to_alibabacloud1" # Specify the traffic that is allowed from the FortiGate firewall to Alibaba Cloud over Tunnel 1. set srcintf "port2" set dstintf "to_ali_tun1" set action accept set srcaddr "Local_192.168.0.0/16" set dstaddr "Remote_10.0.0.0/16" set schedule "always" set service "ALL" next edit 101 set name "aliyun_to_forti1" # Specify the traffic that is allowed from Alibaba Cloud to the FortiGate firewall over Tunnel 1. set srcintf "to_ali_tun1" set dstintf "port2" set action accept set srcaddr "Remote_10.0.0.0/16" set dstaddr "Local_192.168.0.0/16" set schedule "always" set service "ALL" next edit 102 set name "forti_to_alibabacloud2" # Specify the traffic that is allowed from the FortiGate firewall to Alibaba Cloud over Tunnel 2. set srcintf "port2" set dstintf "to_ali_tun2" set action accept set srcaddr "Local_192.168.0.0/16" set dstaddr "Remote_10.0.0.0/16" set schedule "always" set service "ALL" next edit 103 set name "aliyun_to_forti2" # Specify the traffic that is allowed from Alibaba Cloud to the FortiGate firewall over Tunnel 2. set srcintf "to_ali_tun2" set dstintf "port2" set action accept set srcaddr "Remote_10.0.0.0/16" set dstaddr "Local_192.168.0.0/16" set schedule "always" set service "ALL" next endConfigure BGP IP addresses for tunnel interfaces.
config system interface edit "to_ali_tun1" set ip 169.254.10.2 255.255.255.255 # Configure a BGP IP address for the interface of Tunnel 1. set remote-ip 169.254.10.1 255.255.255.255 # Configure a remote BGP IP address for Tunnel 1. next edit "to_ali_tun2" set ip 169.254.20.2 255.255.255.255 # Configure a BGP IP address for the interface of Tunnel 2. set remote-ip 169.254.20.1 255.255.255.255 # Configure a remote BGP IP address for Tunnel 2. next endConfigure BGP dynamic routing.
config router bgp set as 65500 set router-id 122.XX.XX.248 config neighbor edit "169.254.10.1" # Specify the BGP peer for Tunnel 1. set remote-as 65535 next edit "169.254.20.1" # Specify the BGP peer for Tunnel 2. set remote-as 65535 next end config network edit 100 set prefix 192.168.0.0 255.255.0.0 # Specify the CIDR block in the data center that needs to communicate with the VPC. next end config redistribute connected # Redistribute the route of the directly-connected interface to BGP. set status enable end end
Verify the connection
After completing the configuration, verify that the IPsec-VPN connection is established successfully.
Check the IPsec tunnel status on the FortiGate firewall:
diagnose vpn ike gateway list diagnose vpn tunnel listThe tunnel status should show as up. If the status shows as down, check the following: verify that the pre-shared key matches on both sides, confirm that IKE and IPsec parameters are identical, and ensure that firewall rules allow UDP ports 500 and 4500. On FortiOS 7.2 and later, the default local-in policy may block IKE negotiation traffic. If tunnels fail to establish, check whether a local-in policy explicitly allows UDP ports 500 and 4500 on the WAN interface (port1).
Test network connectivity by pinging from your data center server to an ECS instance in the VPC:
ping 10.0.10.247Replace 10.0.10.247 with the actual IP address of your ECS instance. You can also test from the ECS instance to your data center server (192.168.10.211).
Verify that your applications can communicate through the VPN tunnel. Test any specific services or applications that need to work across the VPN connection.
For production environments, also verify that the secondary tunnel (Tunnel 2) is properly configured and can take over if the primary tunnel fails.
Appendix: Single-tunnel mode configuration
If you don't require high availability and want to use a simpler configuration, you can establish an IPsec-VPN connection using single-tunnel mode. This mode uses only one tunnel instead of the dual-tunnel configuration described earlier.
Single-tunnel mode provides basic VPN connectivity but does not offer automatic failover. Use this configuration only for non-production environments or scenarios where high availability is not required.