Connecting to a FortiGate peer

You can use IBM Cloud VPN for VPC to securely connect your VPC to an on-prem network through a VPN tunnel. This topic provides guidance about how to configure your FortiGate VPN gateway to connect to VPN for VPC.

These instructions are based on FortiGate 300C, Firmware Version v5.2.13, build762 (GA).

Read VPN gateway limitations before you continue to connect to your on-premises peer.

Connecting an IBM policy-based VPN to a FortiGate peer

Select VPN > IPsec Tunnels and create a new custom tunnel, or edit an existing tunnel.

When a FortiGate VPN receives a connection request from VPN for VPC, FortiGate uses IPsec Phase 1 parameters to establish a secure connection and authenticate VPN for VPC. Then, if the security policy permits the connection, the FortiGate VPN establishes the tunnel using IPsec Phase 2 parameters and applies the IPsec security policy. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.

To support these functions, the following general configuration steps must be performed for the FortiGate VPN:

Define the Phase 1 parameters that the FortiGate VPN requires to authenticate VPN for VPC and establish a secure connection.
Define the Phase 2 parameters that the FortiGate VPN requires to create a VPN tunnel with VPN for VPC.
Create security policies to control the permitted services and permitted direction of traffic between the IP source and destination addresses.

An example configuration is as follows:

Choose IKEv2 in authentication.
Enable DH-group 19 in the Phase 1 proposal.
Set lifetime = 36000 in the Phase 1 proposal.
Disable PFS in the Phase 2 proposal.
Set lifetime = 10800 in the Phase 2 proposal.
Input your subnet's information in Phase 2.
The remaining parameters keep their default values.

Connecting an IBM static, route-based VPN to a FortiGate peer

Here's an example of how to connect an IBM static, route-based VPN to a FortiGate peer.

To configure a primary tunnel, select VPN > IPsec Tunnels and create a new custom template type tunnel, or edit an existing tunnel.

Figure 1: FortiGate connection primary tunnel creation
To configure a peer IP of a primary tunnel, use the small public IP address of the IBM route-based VPN gateway as the remote gateway IP address.

For more information about the small public IP, see this important notice.

Figure 2: FortiGate connection eer IP of primary tunnel
To configure an IKE proposal, use the matched IKE version and proposals.

Figure 3: FortiGate connection IKE proposal
To configure an IPsec proposal, use the matched IPsec proposals.

Figure 4: FortiGate connection IPsec proposal

Configuring a secondary tunnel

To configure a secondary tunnel, follow these steps:

Repeat the preceding steps to create the secondary tunnel. Use the large public IP address of the IBM route-based VPN gateway as the remote gateway IP address.

Figure 5: FortiGate connection secondary tunnel Creation
Create the primary route where the destination is your VPC subnet and the interface is the primary tunnel.

Figure 6: FortiGate connection primary route
To configure a secondary route, create the backup route where the destination is your VPC subnet, the interface is the secondary tunnel, and the administrative distance is greater than the one on the primary route.

Figure 7: FortiGate connection secondary route
To verify configurations, list all the routes and verify the route configurations. Then, check that the route distance and primary are configured properly on the primary and secondary routes.

Figure 8: FortiGate connection configuration verification