Transit Connection to FortiGate over the internet.
1.From the Controller go to Transit Network -> Setup -> Launch a Transit VPC GW.
- 2.Connect the transit VPC GW to FortiGate. Go to Transit Network -> Setup -> Connect to VGW/External Device. Select External Device and input the following parameters.
BGP Local AS number: ASN of the transit VPC GW
BGP Remote AS number: ASN of the Fortinet Fortigate
Remote Gateway IP Address: Fortinet Fortigate external interface’s public IP
- 3.Download the configuration by going to Site2Cloud -> Click on the Connection.
Select generic. Download Configuration and configure on the remote firewall accordingly.
The following is a sample configuration based on the site2cloud configuration above.
4.Login into FortiGate and configure it as the following.
4.a In the VPN menu, select IPsec Tunnels
4.b click + Create New, select custom
Populate the fields according to your preferences.
VPN Setup
Field
Expected Value
Name
Any name
Template Type
Custom
Network
Field
Expected Value
IP Version
IPv4
Remote Gateway
Static IP Address
IP Address
Public IP address of Aviatrix Gateway
Interface
Select the external port/interface
Local Gateway
Disabled
Mode Config
Unchecked
NAT Traversal
Recommended: Enable
Keepalive Frequency
Any value
Dead Peer Detection
On Demand
Authentication
Field
Expected Value
Method
Pre-shared Key
Pre-shared Key
Enter the value from the downloaded configuration in step3
IKE Version
1
IKE Mode
Main (ID protection)
Phase 1 Proposal
Important
The following values from the Aviatrix Site2Cloud configuration are needed below:
In the Aviatrix Controller, click on site2cloud connection.
Click on the 3 dashed lines next to Connect Detail
Field
Expected Value
Encryption
Match value from the config file downloaded at step3
Authentication
Match value from the config file downloaded at step3
Diffie-Hellman Group
Match value from the config file downloaded at step3
Key Lifetime (seconds)
28800
Local ID
XAUTH
Field
Expected Value
Type
Disabled
Phase 2 Selectors
New Phase 2
Field
Expected Value
Name
Any string value
Comments
Any string value
Local Address
0.0.0.0/0
Remote Address
0.0.0.0/0
Advanced
Important
The following values from the Aviatrix Site2Cloud configuration are needed below:
In the Aviatrix Controller, select the Site2Cloud configuration.
Click on the 3 dashed lines next to Connect Detail
Field
Expected Value
Encryption
Match value from the config file downloaded at step3
Authentication
Match value from the config file downloaded at step3
Diffie-Hellman Group
Match value from the config file downloaded at step3
Key Lifetime
Seconds
Seconds
28800
Click OK
4.d Click -> Network -> Interfaces. Click on the Tunnel created above (e.g. aviatrix-gatew)-> assign the IP address from the configuration file downloaded at step 3
4.e Configure IPv4 Policy
In Policy & Objects, select IPv4 Policy. Create 2 new IPv4 policies:
Outbound traffic
Inbound traffic
Note
The reference to port2 in the screenshots should be replaced with your own interface name that represents the internal facing interface.
Note
Be sure to select accept for action and select all for service
4.f Bring Up IPSec Monitor
In Monitor > IPSec Monitor, select the Aviatrix tunnel, and click Bring Up.
The tunnel status should change to up as shown below
5.Configure BGP:
Click -> Network -> BGP Configure as below:
RouterID : Tunnel IP address taken from the configuration file downloaded at step3
Neighbors: Remote tunnel IP address and ASN
Networks: All the networks needs to be advertised via BGP (here 10.0.3.0 is the local network of FortiGate)
6.Go to Transit Network -> Advanced Config on the Controller and Click on Diagnostics and select the GW name from the dropdown list and select Show Ip bgp Command from the predefined Show list to verify the BGP Routes.
