Friday, October 14, 2016

GoogleCloudCompute VPN to fortgate

In this post I will show you how to craft a vpn for  a Fortigate to Google Cloud Compute Platform

The process is straight forward;

1: you need to select a Google ipv4 static address for the vpn-peers, This is the  public-address that you will use and defined for the remote-gate on the fortigate

2: define ikev2 ( you can use ikev1 )

3: define a shared PreSharedKey ( watch for any  typos and the psk key lengths   12-20 characters is good , try to avoid whitespaces or *!# )

4: define the local and remote subnets ( or use the in the quick selectors )

Once you have done all of the above, you  can configure the  fortigate unit;

Phase1-interface cfg
( take note of my  single proposal & dhgrp14 )

FGT100D (root) # show vpn  ipsec phase1-interface 
config vpn ipsec phase1-interface
    edit "GCP"
        set interface "wan1"
        set ike-version 2
        set proposal aes256-sha1
        set dhgrp 14
        set remote-gw
        set psksecret  mysecrethereissogood


Phase2-interface cfg
( take note of my  single proposal & dhgrp14 , and pfs is enabled by default )

FGT100D (mycust1) # show vpn  ipsec phase2-interface
config vpn ipsec phase2-interface
    edit "GCP1"
        set phase1name "GCP"
        set proposal aes256-sha1
        set dhgrp 14
        set auto-negotiate enable


Notice I'm using  a quad 0s for the src/dst-subnets aka in the above example

Here's a few screenshots of a typical  GCP vpn configurations. It's so easy a caveman can do it !

The last piece you need are routes-and- firewall policies on both ends 



config router static
   edit 1999
        set dst
        set device "GCP"
        set comment " my tunnel to GCP platform"


  1. use ikev2 for IKSAMP
  2. ensure dh-grp 14 only
  3. set propsoal for aes256-sha1
  4. set pfs enable
  5. ensure you know what interfaces you have in-use at Google Compute

For diagnostic, use the GCP  log view and with the filter for Look for the obvious problems or errors.

 PSK mis-match
 no acceptable-proposals between peers
 no acceptable  SA src/dst-subnets ( if you specify src/dst-subnets and not 0.0.0./0 ...THEY HAVE TO MATCH )

 be very very very careful of route priority if you use as the proxy-id selectors set the priority   for traffic you want to go over the tunnel

A bad PSK match

A good up and working VPN  GCP  will look like the following and with a green-icon "check" mark.

!!!!!!!!!!!!!!! ADVANCE  BGP over IPSEC   for layer3 network routing  !!!!!!

You can also run BGP over the ipsec-tunnel  for routing information to be shared.  This is the same method that  AWS uses btw and the fortigate is way much easier to configure for this approach versus other firewall vendors.

This steps are broken-down  as the following;

1: define a cloud base router instance-name

2: select a private ASN for GOOGLE and your Fortigate  (e.g ASN 65001 )

3: use a link-local ipv4 address for the Google  and Fortigate End Points ( APIPA )

4:  configure the  fortigate using the private-AS for the local and remote-as peer

5: monitor the vpn and bgp outputs


google cloud platform  BGP config

FGT-2-GCP configurations

The fortigate BGP configuration will require you to  assign a ipv4 address on the ipsec-tunnel interface directly &  with the local-remote address of the Google cloud router instance

Now you can use any  of the FortIOS  get  commands to get bgp information. Just remember the ipsec-vpn must be up before the BGP can go established and peering relations started

For Example;

FGT100D (root) # get router  info bgp summary 
BGP router identifier, local AS number 65102
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd     4      65100      12      12        0    0    0 00:03:07        1

Total number of neighbors 1


FGT100D (root) # get router  info bgp network
BGP table version is 1, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>            100             0 65100 ?

Total number of prefixes 1

 ( other useful get-commands )

get router  info bgp neighbors

get router info routing bgp


Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=

        /  \

1 comment:

  1. DreamHost is ultimately the best website hosting provider for any hosting plans you require.