AWS or GCP IPSec Tunnels with BGP routing on a FortiGate software version 6.x

To use BGP routing on an AWS or GCP VPN connection, the tunnel interface needs to have its IP address assigned as a /32 and then the remote IP specified:

config system interface
    edit "GCP"
        set vdom "root"
        set ip 169.254.0.2 255.255.255.255
        set type tunnel
        set remote-ip 169.254.0.1 255.255.255.255
        set interface "wan1"
    next
end

BGP can be configured under the GUI in Network -> BGP in most cases, but the CLI has additional options. Here’s an example config for a peer 169.254.0.1 with ASN 64512, announcing the 192.168.1.0/24 prefix.

config router bgp
    set as 65000
    set router-id 192.168.1.254
    set keepalive-timer 10
    set holdtime-timer 30
    set scan-time 15
    config neighbor
       edit "169.254.0.1"
           set remote-as 64512
       next
    end
    config network
        edit 1
            set prefix 192.168.1.0 255.255.255.0
        next
    end


Advertisement

Popular ASNs

  • 174 – Cogent
  • 209 – CenturyLink (formerly Qwest)
  • 701 – Verizon (formerly MCI / Worldcom / UUNet)
  • 812 – Rogers
  • 852 – Telus
  • 1239 – Sprint
  • 2828 – XO Communications
  • 2914 – NTT
  • 3356 – Level 3
  • 3549 – Level 3 (formerly Global Crossing)
  • 3561 – Savvis
  • 6939 – Hurricane Electric
  • 7018 – AT&T
  • 8075 – Microsoft
  • 12182 – InterNap
  • 16467 – NextWeb
  • 17111 – Covad
  • 22773 – Cox