Fortigate VPN to AWS - AWS019

Posted on Wed 22 May 2019 in quiz

Alt Text

You created your first website which uses just only one web server in AWS. This site is a hosted service for your client. In order for them to access this server, you created VPN gateway in your VPC. And your clients told you they configured their Fortigate to connect to your VPN Gateway.
However your clients are still not able to connect your server.

In this quiz, you can assume AWS configuration is correct. I used Fortigate on AWS to emulate the scenario, however you should be able to apply the same technique you used here to the on-premise.

Spot the misconfiguration on Fortigate.


[Fortigate] BGP

fg-bgp

[Fortigate] Interfaces

fg-interfaces

[Fortigate] VPN Interfaces

fg-interfaces-vpn

[Fortigate] Security Policies

fg-security-policies

[Fortigate] VPN

fg-vpn

[Fortigate] Routing Monitor

fg-routingmonitor

[Fortigate] IPSec Monitor

fg-ipsecmonitor


terraform configuration file Download Terraform output


Answer
NAT is configured in security policies.

Usually NAT(or specifically IP masquerading) is used for the internet access.
In this case, I don't need NAT because both of the subnets(10.0.0.0/24 and 172.16.1.0/24) are routable.
However you still need to use NAT in rare cases as follows:
    Connect to the subnets which overlaps -e.g. 10.0.0.0/24 are used both in on-premise and on AWS
In this case, you can refer Fortigate cookbook "Site-to-site IPsec VPN with overlapping subnets".
In this quiz, I just simply disable NAT in each policy:
answer-policies

fortigate-trafficflow