CenturyLink Cloud VPN with Fortigate firewall

After writing the AWS VPN via VPC to Fortigate firewall blog post, a friend asked if I could do the same for setting up a site-to-site VPN with CenturyLink Cloud.

I agreed!

One warning – you can only VPN between RFC1918 (or private) addressing. If you have a mixed network like I have in my lab then the VPN can only exchange traffic between these private addresses.

Let’s start with the Fortigate! The configuration and screenshots are from FortiOS 5.4 on a Fortigate 200D and I’m using port13 as my uplink port.

Just like we started with creating a VPN to AWS (see post) we need to create the phase1 and phase2 interfaces and the tunnel interface:

config vpn ipsec phase1-interface
    edit "to-CTL"
        set interface "port13"
        set keylife 28800
        set proposal aes256-sha256
        set dhgrp 5
        set nattraversal disable
        set remote-gw 64.94.XX.XX
        set psksecret S3kR3tZ
config vpn ipsec phase2-interface
    edit "to-CTL"
        set phase1name "to-CTL"
        set proposal aes192-sha1
        set dhgrp 5
        set src-addr-type ip
        set keylifeseconds 3600
        set src-start-ip 64.244.XX.XX
        set dst-subnet
config system interface
    edit "to-CTL"
        set vdom "root"
        set type tunnel
        set interface "port13" # probably WAN1

If you want to then run some diagnostics, you’d see an error like the following:

ike 0: comes 64.94.XX.XX:500->64.244.XX.XX:500,ifindex=22....
ike 0: IKEv1 exchange=Identity Protection id=b83bc5788a2fb9e3/0000000000000000 len=148
ike 0: in B83BC5788A2FB9E300000000000000000110020000000000000000940D00004400000001000000010000003801010801B83BC5788A2FB9E3000000280001000080010007800E01008004000580020004800B0001000C000400007080800300010D000014AFCAD71368A1F1C96B8696FC7757010000000020699369228741C6D4CA094C93E242C9DE19E7B7C60000000500000500
ike 0:b83bc5788a2fb9e3/0000000000000000:0: responder: main mode get 1st message...
ike 0:b83bc5788a2fb9e3/0000000000000000:0: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:b83bc5788a2fb9e3/0000000000000000:0: VID unknown (28): 699369228741C6D4CA094C93E242C9DE19E7B7C60000000500000500
ike 0:to-CTL: ignoring IKE request, no policy configured
ike 0:b83bc5788a2fb9e3/0000000000000000:0: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:b83bc5788a2fb9e3/0000000000000000:0: no SA proposal chosen

And all that is doing is telling us that the CenturyLink side is trying to start an IPSEC connection with our Fortigate but as there isn’t a policy created to allow the connection set up to finish.

Adding the policies is straight forward via the GUI or via the CLI (below is a command line example):

config firewall policy
    edit 192
        set srcintf "to-CTL"
        set dstintf "VLAN_0041"
        set srcaddr "ctl-"
        set dstaddr "internal"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
    edit 193
        set srcintf "VLAN_0041"
        set dstintf "to-CTL"
        set srcaddr "internal"
        set dstaddr "ctl-"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all

If you look at the GUI configuration for the VPN tunnel it will look something like this:


The CenturyLink side configuration from within their web-based GUI console:


and the result:


..the ping results:

mx:~ % ping -c 5
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=52 time=14.663 ms
64 bytes from icmp_seq=1 ttl=52 time=14.769 ms
64 bytes from icmp_seq=2 ttl=52 time=14.705 ms
64 bytes from icmp_seq=3 ttl=52 time=14.695 ms
64 bytes from icmp_seq=4 ttl=52 time=14.621 ms

--- ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 14.621/14.691/14.769/0.049 ms

Need a book to get you started?