The process is straight forward;
1: you need to select a Google ipv4 static address for the vpn-peers, This is the public-address that you will use and defined for the remote-gate on the fortigate
2: define ikev2 ( you can use ikev1 )
3: define a shared PreSharedKey ( watch for any typos and the psk key lengths 12-20 characters is good , try to avoid whitespaces or *!# )
4: define the local and remote subnets ( or use the 0.0.0.0/0 in the quick selectors )
Once you have done all of the above, you can configure the fortigate unit;
Phase1-interface cfg
( take note of my single proposal & dhgrp14 )
FGT100D (root) # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "GCP"
set interface "wan1"
set ike-version 2
set proposal aes256-sha1
set dhgrp 14
set remote-gw 130.211.107.192
set psksecret mysecrethereissogood
next
end
( take note of my single proposal & dhgrp14 , and pfs is enabled by default )
FGT100D (mycust1) # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "GCP1"
set phase1name "GCP"
set proposal aes256-sha1
set dhgrp 14
set auto-negotiate enable
next
end
Notice I'm using a quad 0s for the src/dst-subnets aka 0.0.0.0/0:0 in the above example
Here's a few screenshots of a typical GCP vpn configurations. It's so easy a caveman can do it !
The last piece you need are routes-and- firewall policies on both ends
google
Fortigate
config router static
edit 1999
set dst 10.240.0.0 255.255.0.0
set device "GCP"
set comment " my tunnel to GCP platform"
next
end
tips;
- use ikev2 for IKSAMP
- ensure dh-grp 14 only
- set propsoal for aes256-sha1
- set pfs enable
- ensure you know what interfaces you have in-use at Google Compute
For diagnostic, use the GCP log view and with the filter for ipsec.events. Look for the obvious problems or errors.
PSK mis-match
no acceptable-proposals between peers
no acceptable SA src/dst-subnets ( if you specify src/dst-subnets and not 0.0.0./0 ...THEY HAVE TO MATCH )
be very very very careful of route priority if you use 0.0.0.0/0 as the proxy-id selectors set the priority for traffic you want to go over the tunnel
A bad PSK match
A good up and working VPN GCP will look like the following and with a green-icon "check" mark.
!!!!!!!!!!!!!!! ADVANCE BGP over IPSEC for layer3 network routing !!!!!!
You can also run BGP over the ipsec-tunnel for routing information to be shared. This is the same method that AWS uses btw and the fortigate is way much easier to configure for this approach versus other firewall vendors.
This steps are broken-down as the following;
1: define a cloud base router instance-name
2: select a private ASN for GOOGLE and your Fortigate (e.g ASN 65001 )
3: use a link-local ipv4 address for the Google and Fortigate End Points ( APIPA 169.254.0.0/16 )
4: configure the fortigate using the private-AS for the local and remote-as peer
5: monitor the vpn and bgp outputs
screenshots
google cloud platform BGP config
FGT-2-GCP configurations
The fortigate BGP configuration will require you to assign a ipv4 address on the ipsec-tunnel interface directly & with the local-remote address of the Google cloud router instance
Now you can use any of the FortIOS get commands to get bgp information. Just remember the ipsec-vpn must be up before the BGP can go established and peering relations started
For Example;
FGT100D (root) # get router info bgp summary
BGP router identifier 169.254.0.2, local AS number 65102
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
169.254.0.1 4 65100 12 12 0 0 0 00:03:07 1
Total number of neighbors 1
FGT100D (root) # get router info bgp network
BGP table version is 1, local router ID is 169.254.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.240.0.0/16 169.254.0.1 100 0 65100 ?
Total number of prefixes 1
( other useful get-commands )
get router info bgp neighbors
get router info routing bgp
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
For Example;
FGT100D (root) # get router info bgp summary
BGP router identifier 169.254.0.2, local AS number 65102
BGP table version is 1
1 BGP AS-PATH entries
0 BGP community entries
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
169.254.0.1 4 65100 12 12 0 0 0 00:03:07 1
Total number of neighbors 1
FGT100D (root) # get router info bgp network
BGP table version is 1, local router ID is 169.254.0.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 10.240.0.0/16 169.254.0.1 100 0 65100 ?
Total number of prefixes 1
( other useful get-commands )
get router info bgp neighbors
get router info routing bgp
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment