Fortigate VPN to AWS - AWS017

Posted on Wed 22 May 2019 in quiz

Alt Text

You created your first website which uses just only one web server in AWS. This site is a hosted service for your client. In order for them to access this server, you created VPN gateway in your VPC. And your clients told you they configured their Fortigate to connect to your VPN Gateway.
However your clients are still not able to connect your server.

In this quiz, you can assume AWS configuration is correct. I used Fortigate on AWS to emulate the scenario, however you should be able to apply the same technique you used here to the on-premise.

Spot the misconfiguration on Fortigate.


[Fortigate] Address Object

fg-addrobj

[Fortigate] BGP

fg-bgp

[Fortigate] Interfaces

fg-interfaces

[Fortigate] VPN Interface 1

fg-interface-vpn1

[Fortigate] VPN Interface 2

fg-interface-vpn2

[Fortigate] Security Policies

fg-security-policies

[Fortigate] VPN

fg-vpn

[Fortigate] Routing Monitor

fg-routingmonitor

[Fortigate] IPSec Monitor

fg-ipsecmonitor


terraform configuration file Download Terraform output


Answer
The local gateway is using non-exitent ip address on Fortigate.

You need to use one of the ip address which is in actually in use on the Fortigate. In this case, Fortigate is behind NAT, and hence it does not have that global ip address on that device.
If you use Fortigate without NAT, you can use global ip address as your local gateway.
If you use Fortigate behind NAT -e.g. on AWS or on-premise, you should use the IP address of your WAN IP of your Fortigate.
To mitigate this, simply change local gateway as follows:
answer-vpn

fortigate-trafficflow