Transit Connection to FortiGate over the internet.

1.From the Controller go to Transit Network -> Setup -> Launch a Transit VPC GW.

image1
2.Connect the transit VPC GW to FortiGate. Go to Transit Network -> Setup -> Connect to VGW/External Device. Select External Device and input the following parameters.
  1. BGP Local AS number: ASN of the transit VPC GW
  2. BGP Remote AS number: ASN of the Fortinet Fortigate
  3. Remote Gateway IP Address: Fortinet Fortigate external interface’s public IP

image2

3.Download the configuration by going to Site2Cloud -> Click on the Connection.

Select generic. Download Configuration and configure on the remote firewall accordingly.

image3

The following is a sample configuration based on the site2cloud configuration above. image4

4.Login into FortiGate and configure it as the following.

4.a In the VPN menu, select IPsec Tunnels

4.b click + Create New, select custom

Populate the fields according to your preferences.

VPN Setup

Field Expected Value
Name Any name
Template Type Custom

image5

Network

Field Expected Value
IP Version IPv4
Remote Gateway Static IP Address
IP Address Public IP address of Aviatrix Gateway
Interface Select the external port/interface
Local Gateway Disabled
Mode Config Unchecked
NAT Traversal Recommended: Enable
Keepalive Frequency Any value
Dead Peer Detection On Demand

image6

Authentication

Field Expected Value
Method Pre-shared Key
Pre-shared Key Enter the value from the downloaded configuration in step3
IKE Version 1
IKE Mode Main (ID protection)

image7

Phase 1 Proposal

Important

The following values from the Aviatrix Site2Cloud configuration are needed below:

  1. In the Aviatrix Controller, click on site2cloud connection.
  2. Click on the 3 dashed lines next to Connect Detail

image8

Field Expected Value
Encryption Match value from the config file downloaded at step3
Authentication Match value from the config file downloaded at step3
Diffie-Hellman Group Match value from the config file downloaded at step3
Key Lifetime (seconds) 28800
Local ID  

image9

XAUTH

Field Expected Value
Type Disabled

image10

Phase 2 Selectors

New Phase 2

Field Expected Value
Name Any string value
Comments Any string value
Local Address 0.0.0.0/0
Remote Address 0.0.0.0/0

image11

Advanced

Important

The following values from the Aviatrix Site2Cloud configuration are needed below:

  1. In the Aviatrix Controller, select the Site2Cloud configuration.
  2. Click on the 3 dashed lines next to Connect Detail

image12

Field Expected Value
Encryption Match value from the config file downloaded at step3
Authentication Match value from the config file downloaded at step3
Diffie-Hellman Group Match value from the config file downloaded at step3
Key Lifetime Seconds
Seconds 28800

image13

  1. Click OK

4.d Click -> Network -> Interfaces. Click on the Tunnel created above (e.g. aviatrix-gatew)-> assign the IP address from the configuration file downloaded at step 3

image14

4.e Configure IPv4 Policy

In Policy & Objects, select IPv4 Policy. Create 2 new IPv4 policies:

  • Outbound traffic

    image15

  • Inbound traffic

    image16

Note

The reference to port2 in the screenshots should be replaced with your own interface name that represents the internal facing interface.

Note

Be sure to select accept for action and select all for service

4.f Bring Up IPSec Monitor

In Monitor > IPSec Monitor, select the Aviatrix tunnel, and click Bring Up.

The tunnel status should change to up as shown below

image18

5.Configure BGP:

Click -> Network -> BGP Configure as below:

RouterID : Tunnel IP address taken from the configuration file downloaded at step3

Neighbors: Remote tunnel IP address and ASN

Networks: All the networks needs to be advertised via BGP (here 10.0.3.0 is the local network of FortiGate)

image21

6.Go to Transit Network -> Advanced Config on the Controller and Click on Diagnostics and select the GW name from the dropdown list and select Show Ip bgp Command from the predefined Show list to verify the BGP Routes.

image19

image20