This is a topology that is used to deploy this lab.
![](https://tungle.ca/wp-content/uploads/2022/04/8-Topo-both-FG-1024x526.png)
+ Configure FortiGate on AWS.
Create a new VPC with a CIDR network is 10.0.0.0/16. Then, create both Lab Public subnet and :ab Private subnet on AWS.
![](https://tungle.ca/wp-content/uploads/2022/04/image-32-1024x297.png)
Create a new Internet gateway and attach to your VPC.
![](https://tungle.ca/wp-content/uploads/2022/04/image-33-1024x385.png)
Create route tables.
![](https://tungle.ca/wp-content/uploads/2022/04/image-34-1024x412.png)
Add a new route to the public Route table.
![](https://tungle.ca/wp-content/uploads/2022/04/image-35-1024x314.png)
Associate the public subnet to the Public Route table.
![](https://tungle.ca/wp-content/uploads/2022/04/image-36-1024x521.png)
Go to EC2 and create a new FortiGate instance.
![](https://tungle.ca/wp-content/uploads/2022/04/image-37-1024x583.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-38-1024x560.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-39-1024x471.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-40-1024x451.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-41-1024x561.png)
Create a new private interface for FortiGate.
![](https://tungle.ca/wp-content/uploads/2022/04/image-42.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-43.png)
Attach the interface to FortiGate.
![](https://tungle.ca/wp-content/uploads/2022/04/image-45.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-44-1024x509.png)
Disable “Source and destination check” on both Public and Private FortiGate interfaces.
Create a new Elastic IP address and assign it to your FortiGate instance.
![](https://tungle.ca/wp-content/uploads/2022/04/image-46.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-47-1024x519.png)
Assign the Elastic IP address to public FortiGate interface.
![](https://tungle.ca/wp-content/uploads/2022/04/image-48.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-49-1024x541.png)
Access FortiGate management interface.
![](https://tungle.ca/wp-content/uploads/2022/04/image-50-1024x571.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-51-1024x372.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-52-1024x428.png)
Add a new route on a Private Route table to the Private FortiGate interface.
![](https://tungle.ca/wp-content/uploads/2022/04/image-53-1024x282.png)
Create a new Windows instance on AWS.
![](https://tungle.ca/wp-content/uploads/2022/04/image-54-1024x815.png)
Security Group.
![](https://tungle.ca/wp-content/uploads/2022/04/image-55-1024x678.png)
Modify Windows Security Group to allow ICMP traffic.
![](https://tungle.ca/wp-content/uploads/2022/04/image-65-1024x424.png)
Configure VPN site to site.
![](https://tungle.ca/wp-content/uploads/2022/04/image-56-1024x429.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-58-1024x324.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-59-1024x333.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-60-1024x524.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-61-1024x543.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-62-1024x302.png)
There are two routes that have been automatically created on FortiGate on the static routes setting.
![](https://tungle.ca/wp-content/uploads/2022/04/image-63-1024x351.png)
+ Configure FortiGate on-prem.
![](https://tungle.ca/wp-content/uploads/2022/04/image-23.png)
Configure a default route on FortiGate.
![](https://tungle.ca/wp-content/uploads/2022/04/image-24.png)
Configure VPN site to site between both FortiGate.
![](https://tungle.ca/wp-content/uploads/2022/04/image-25.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-27.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-28.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-29.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-30.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-31.png)
+ Pings a Windows instance on AWS from a machine on FortiGate on-prem. Remember to access RDP to the machine and disable Windows Firewall to allow ICMP traffic from on-prem to that machine.
![](https://tungle.ca/wp-content/uploads/2022/04/image-64.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-66.png)
The IPSEC tunnel is up.
![](https://tungle.ca/wp-content/uploads/2022/04/image-67-1024x302.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-68.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-69-1024x549.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-70-1024x484.png)
Pings from Windows instance on AWS to a computer on FortiGate LAN subnet on-prem.
![](https://tungle.ca/wp-content/uploads/2022/04/image-71.png)
The IPSEC tunnel on-prem is up.
![](https://tungle.ca/wp-content/uploads/2022/04/image-72.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-73.png)
+ Configure SSLVPN portal on FortiGate on AWS.
![](https://tungle.ca/wp-content/uploads/2022/04/image-74-1024x466.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-75-1024x460.png)