So when we started with the 'wire up your corporate network' to aws we were introduced to the transitive vpc.

The automagic aws solution includes CSR's and lambda goodness, much of which was a little too much to grasp and pay for at the time.

Being a little (too) cost averse and still learning the ropes, we started building a strongswan+quagga solution. I'll document that one at a later stage.

The one we opted for though, was a Fortigate (we are a Fortigate shop) based solution that ties in with the cloudformation bits we do for the vpcs.

Refering back to the same picture (draw.io use it!) in the multi account post.

We will focus on the cgw, vpc and Fortigate config in the bits below.

Ansible group_vars

So in an attempt to take the complexity out of vpc creations we ended up with something like this

---
acls:
  - { name: Inbound, rule: 100, outgoing: false, cidr: 0.0.0.0/0 }
  - { name: Outbound, rule: 100, outgoing: true, cidr: 0.0.0.0/0 }
pub_sec_group:
  name: PublicSecurityGroup
  incoming:
    - { port: 22, cidr: 1.1.1.1/32 }
    - { port: 80, cidr: 0.0.0.0/0 }
    - { port: 443, cidr: 0.0.0.0/0 }
  outgoing:
    - { port: 80, cidr: 0.0.0.0/0 }
    - { port: 443, cidr: 0.0.0.0/0 }
prv_sec_group:
  name: PrivateSecurityGroup
  incoming:
    - { port: 80, sec_group: PublicSecurityGroup } #Will be prefixed by {{vpc.name}}
    - { port: 443, sec_group: PublicSecurityGroup }
    - { port: -1, cidr: 10.0.0.0/8, protocol: -1 }
  outgoing: []
vpcs:
  aws_foo_sandbox:
    foosnd:
      name: "{{stack_name}}"
      cidr: 10.10.1.0/24
      igw: 1
      subnets:
        - { name: PublicSNa, az: eu-west-1a, cidr: 10.10.1.0/28, route_table: RtPub, natgw: NatGW1 }
        - { name: PublicSNb, az: eu-west-1b, cidr: 10.10.1.16/28, route_table: RtPub }
        - { name: PrivateSNa, az: eu-west-1a, cidr: 10.10.1.32/27, route_table: RtPriv }
        - { name: PrivateSNb, az: eu-west-1b, cidr: 10.10.1.64/27, route_table: RtPriv }
      acls: "{{acls}}"
      pub_sec_group: "{{pub_sec_group}}"
      prv_sec_group: "{{prv_sec_group}}"
      route_tables:
        - name: RtPub
          routes:
            - { name: igw, cidr: 0.0.0.0/0, igw: 1 }
        - name: RtPriv
          routes:
            - { name: NatGW1, cidr: 0.0.0.0/0, natgw: NatGW1 }
          vpnconnection: 1
      vpn:
        name: "{{stack_name}}TransitVPN"
        gateways:
          - name: "FortigateFW1"
          - name: "FortigateFW2"
      instances: []
  aws_foo_nonprod:
    foodev:
      name: "{{stack_name}}"
      cidr: 10.10.2.0/24
      igw: 1
      subnets:
        - { name: PublicSNa, az: eu-west-1a, cidr: 10.10.2.0/28, route_table: RtPub, natgw: NatGW1 }
        - { name: PublicSNb, az: eu-west-1b, cidr: 10.10.2.16/28, route_table: RtPub }
        - { name: PrivateSNa, az: eu-west-1a, cidr: 10.10.2.32/27, route_table: RtPriv }
        - { name: PrivateSNb, az: eu-west-1b, cidr: 10.10.2.64/27, route_table: RtPriv }
      acls: "{{acls}}"
      pub_sec_group: "{{pub_sec_group}}"
      prv_sec_group: "{{prv_sec_group}}"
      route_tables:
        - name: RtPub
          routes:
            - { name: igw, cidr: 0.0.0.0/0, igw: 1 }
        - name: RtPriv
          routes:
            - { name: NatGW1, cidr: 0.0.0.0/0, natgw: NatGW1 }
          vpnconnection: 1
      vpn:
        name: "{{stack_name}}TransitVPN"
        gateways:
          - name: "FortigateFW1"
          - name: "FortigateFW2"
      instances: []
    footst:
      name: "{{stack_name}}"
      cidr: 10.10.3.0/24
      igw: 1
      subnets:
        - { name: PublicSNa, az: eu-west-1a, cidr: 10.10.3.0/28, route_table: RtPub, natgw: NatGW1 }
        - { name: PublicSNb, az: eu-west-1b, cidr: 10.10.3.16/28, route_table: RtPub }
        - { name: PrivateSNa, az: eu-west-1a, cidr: 10.10.3.32/27, route_table: RtPriv }
        - { name: PrivateSNb, az: eu-west-1b, cidr: 10.10.3.64/27, route_table: RtPriv }
      acls: "{{acls}}"
      pub_sec_group: "{{pub_sec_group}}"
      prv_sec_group: "{{prv_sec_group}}"
      route_tables:
        - name: RtPub
          routes:
            - { name: igw, cidr: 0.0.0.0/0, igw: 1 }
        - name: RtPriv
          routes:
            - { name: NatGW1, cidr: 0.0.0.0/0, natgw: NatGW1 }
          vpnconnection: 1
      vpn:
        name: "{{stack_name}}TransitVPN"
        gateways:
          - name: "FortigateFW1"
          - name: "FortigateFW2"
      instances: []

In this case depicting a sandbox and nonprod account, the latter with 2 vpc's.

The vpcnames are short (6 chars) for a reason - Fortigate has some limitations on its config names, so the shorter the better.

Also since we don't use vdoms in our Fortigate config, the names must be globally (across all accounts) unique.

CGW setup

Since the cgw is needed only once in every account we created a cgw_cf role for the cloudformation wrapper

---
- hosts: localhost
  connection: local
  gather_facts: False
  vars:
    stack_name: cgw
    gateways:
      - name: FortigateFW1
        ip: "1.1.1.1"
        asn: 64111
      - name: FortigateFW2
        ip: "2.2.2.2"
        asn: 64111
    region: eu-west-1
  roles:
    - { name: sts_assume_role, target_account: "{{aws_accounts[acc]}}" }
    - cgw_cf

The template in the cgw_cf role looks like this

---
  AWSTemplateFormatVersion: "2010-09-09"
  Description: "AWS CGW template {{stack_name}}"
  Resources: 
    {% for gw in gateways %}
    {{gw.name}}CustomerGateway:
      Type: "AWS::EC2::CustomerGateway"
      Properties:
        Type: ipsec.1
        BgpAsn: {{gw.asn}}
        IpAddress: {{gw.ip}}
        Tags:
          - { Key: Name, Value: {{gw.name}}CustomerGateway }
    {% endfor %}
  Outputs:
    StackName:
      Value: !Ref AWS::StackName
    Regionname:
      Value: !Ref AWS::Region
    {% for gw in gateways %}
    {{gw.name}}CustomerGateway:
      Value: !Ref {{gw.name}}CustomerGateway
      Export:
        Name: {{gw.name}}
    {% endfor %}

this creates cloudformation Exports that will be used to import the CGW id's in the VPN setup.

VPC setup

Passing the stack_name and acc variables into this playbook will create the vpc and configure the tunnels inside the fortigate firewalls.

The stack_name represents the vpc variable in the group_vars.

---
- hosts: localhost
  connection: local
  gather_facts: False
  vars:
    vpc: "{{vpcs[acc][stack_name]}}"
    region: eu-west-1
  roles:
    - name: sts_assume_role
      target_account: "{{aws_accounts[acc]}}"

    - name: vpc_cf

    - name: get_aws_vpnconfig
      vpn1: "{{output.stack_outputs[stack_name+'FortigateFW1VPNConnection']}}"
      vpn2: "{{output.stack_outputs[stack_name+'FortigateFW2VPNConnection']}}"

    - name: fortigate
      fwName: Transit-Hub-FW1
      config: "{{awsvpn1}}"
      ssh_key: "~/pems/Transit.pem"
      ssh_uid: "admin"
      ssh_host: "1.1.1.1"
      localip: 10.10.0.10
      hubName: HUB-to-DC1

    - name: fortigate
      fwName: Transit-Hub-FW2
      config: "{{awsvpn2}}"
      ssh_key: "~/pems/Transit.pem"
      ssh_uid: "admin"
      ssh_host: "2.2.2.2"
      localip: 10.10.0.100
      setmetrix: yes
      hubName: HUB-to-DC2

vpc_cf role

here is the jinja template contents:

---
  AWSTemplateFormatVersion: "2010-09-09"
  Description: "AWS VPC template {{vpc.name}}"
  Resources: 
    {{vpc.name}}VPC:
      Type: AWS::EC2::VPC
      Properties:
        CidrBlock: {{vpc.cidr}}
        EnableDnsSupport: true
        EnableDnsHostnames: true
        Tags:
          - { Key: Application, Value: !Ref "AWS::StackId" }
          - { Key: Name, Value: {{vpc.name}}VPC }

    {% if vpc.igw is defined %}
    {{vpc.name}}InternetGateway: 
      Type: AWS::EC2::InternetGateway
      Properties: 
        Tags: 
          - { Key: Application, Value: !Ref "AWS::StackId" }
          - { Key: Name, Value: {{vpc.name}}InternetGateway }

    {{vpc.name}}AttachGateway: 
      Type: AWS::EC2::VPCGatewayAttachment
      Properties: 
        VpcId: !Ref {{vpc.name}}VPC
        InternetGatewayId: !Ref {{vpc.name}}InternetGateway
    {% endif %}

    {% for rt in vpc.route_tables %}
    {{vpc.name}}{{rt.name}}RouteTable: 
      Type: AWS::EC2::RouteTable
      Properties: 
        VpcId: !Ref {{vpc.name}}VPC
        Tags: 
          - { Key: Application, Value: !Ref "AWS::StackId" }
          - { Key: Name, Value: {{vpc.name}}{{rt.name}}RouteTable }
    {% endfor %}

    {{vpc.name}}NetworkAcl: 
      Type: AWS::EC2::NetworkAcl
      Properties: 
        VpcId: !Ref {{vpc.name}}VPC
        Tags: 
          - { Key: Application, Value: !Ref "AWS::StackId" }
          - { Key: Name, Value: {{vpc.name}}NetworkAcl }

    {% for subnet in vpc.subnets %}
    {{vpc.name}}{{subnet.name}}Subnet: 
      Type: AWS::EC2::Subnet
      Properties: 
        AvailabilityZone: {{subnet.az}}
        VpcId: !Ref {{vpc.name}}VPC
        CidrBlock: {{subnet.cidr}}
        Tags: 
          - { Key: Application, Value: !Ref "AWS::StackId" }
          - { Key: Name, Value: {{vpc.name}}{{subnet.name}} }
    {{vpc.name}}{{subnet.name}}SubnetRouteTableAssociation: 
      Type: AWS::EC2::SubnetRouteTableAssociation
      Properties: 
        SubnetId: !Ref {{vpc.name}}{{subnet.name}}Subnet
        RouteTableId: !Ref {{vpc.name}}{{subnet.route_table}}RouteTable
    {{vpc.name}}{{subnet.name}}SubnetNetworkAclAssociation: 
      Type: AWS::EC2::SubnetNetworkAclAssociation
      Properties: 
        SubnetId: !Ref {{vpc.name}}{{subnet.name}}Subnet
        NetworkAclId: !Ref {{vpc.name}}NetworkAcl
    {% if subnet.natgw is defined %}
    {{vpc.name}}{{subnet.natgw}}IPAddress: 
      Type: AWS::EC2::EIP
      DependsOn: {{vpc.name}}AttachGateway
      Properties: 
        Domain: vpc
    {{vpc.name}}{{subnet.natgw}}NatGateway: 
      Type: AWS::EC2::NatGateway
      Properties: 
        AllocationId: !GetAtt {{vpc.name}}{{subnet.natgw}}IPAddress.AllocationId
        SubnetId: !Ref {{vpc.name}}{{subnet.name}}Subnet
    {% endif %}
    {% endfor %}

    {% for acl in vpc.acls %}
    {{vpc.name}}{{acl.name}}NetworkAclEntry: 
      Type: AWS::EC2::NetworkAclEntry
      Properties: 
        NetworkAclId: !Ref {{vpc.name}}NetworkAcl
        RuleNumber: {{acl.rule}}
        RuleAction: allow
        Egress: {{acl.outgoing}}
        CidrBlock: {{acl.cidr}}
        {% if acl.from is defined %}
        Protocol: {{acl.protocol|default('6')}}
          {% if acl.protocol is defined and acl.protocol == 1 %}
        Icmp:
          Code: -1
          Type: -1
          {% endif %}
        PortRange: 
          From: {{acl.from}}
          To: {{acl.to}}
        {% else %}
        Protocol: -1
        {% endif %}
    {% endfor %}

    {{vpc.name}}PublicSecurityGroup:
      Type: AWS::EC2::SecurityGroup
      Properties: 
        VpcId: !Ref {{vpc.name}}VPC
        GroupDescription: Enable access via ports
        SecurityGroupIngress:
          {% for incoming in vpc.pub_sec_group.incoming %}
          - IpProtocol: {{incoming.protocol|default('tcp')}}
            FromPort: {{incoming.port}}
            ToPort: {{incoming.port}}
            CidrIp: {{incoming.cidr}}
          {% endfor %}
        SecurityGroupEgress:
          {% for outgoing in vpc.pub_sec_group.outgoing %}
          - IpProtocol: {{outgoing.protocol|default('tcp')}}
            FromPort: {{outgoing.port}}
            ToPort: {{outgoing.port}}
            {% if outgoing.sec_group is defined %}
            SourceSecurityGroupId: !Ref {{vpc.name}}{{outgoing.sec_group}}
            {% else %}
            CidrIp: {{outgoing.cidr}}
            {% endif %}
          {% endfor %}
        Tags: 
          - { Key: Application, Value: !Ref "AWS::StackId" }
          - { Key: Name, Value: {{vpc.name}}PublicSecurityGroup }

    {{vpc.name}}PrivateSecurityGroup: 
      Type: AWS::EC2::SecurityGroup
      Properties: 
        VpcId: !Ref {{vpc.name}}VPC
        GroupDescription: Enable access via ports
        SecurityGroupIngress: 
          {% for incoming in vpc.prv_sec_group.incoming %}
          - IpProtocol: {{incoming.protocol|default('tcp')}}
            FromPort: {{incoming.port}}
            ToPort: {{incoming.port}}
            {% if incoming.sec_group is defined %}
            SourceSecurityGroupId: !Ref {{vpc.name}}{{incoming.sec_group}}
            {% else %}
            CidrIp: {{incoming.cidr}}
            {% endif %}
          {% endfor %}
        Tags: 
          - { Key: Application, Value: !Ref "AWS::StackId" }
          - { Key: Name, Value: {{vpc.name}}PrivateSecurityGroup }

    {% for rt in vpc.route_tables %}
    {% for route in rt.routes %}
    {{vpc.name}}{{rt.name}}{{route.name}}Route: 
      Type: AWS::EC2::Route
      {% if route.vpngateway is defined %}
      DependsOn: [{{vpc.vpn.name}}VPNGateway, {{vpc.vpn.name}}VPCGatewayAttachment]
      {% endif %}
      Properties: 
        RouteTableId: !Ref {{vpc.name}}{{rt.name}}RouteTable
        DestinationCidrBlock: {{route.cidr}}
        {% if route.instance is defined %}
        InstanceId: !Ref {{vpc.name}}{{route.instance}}EC2Instance
        {% elif route.natgw is defined %}
        NatGatewayId: !Ref {{vpc.name}}{{route.natgw}}NatGateway 
        {% elif route.igw is defined %}
        GatewayId: !Ref {{vpc.name}}InternetGateway
        {% elif route.vpngateway is defined %}
        GatewayId: !Ref {{vpc.vpn.name}}VPNGateway
        {% endif %}
    {% endfor %}
    {% if rt.vpnconnection is defined %}
    {% for gw in vpc.vpn.gateways %}
    {{vpc.name}}{{gw.name}}VPNGatewayRoutePropagation:
      Type: "AWS::EC2::VPNGatewayRoutePropagation"
      DependsOn: {{vpc.name}}{{gw.name}}VPNConnection
      Properties: 
        RouteTableIds: [!Ref {{vpc.name}}{{rt.name}}RouteTable]
        VpnGatewayId: !Ref {{vpc.vpn.name}}VPNGateway
    {% endfor %}
    {% endif %}
    {% endfor %}

    {% for instance in vpc.instances %}
    {{vpc.name}}{{instance.name}}EC2Instance: 
      Type: AWS::EC2::Instance
      DependsOn: {{vpc.name}}AttachGateway
      Properties: 
        ImageId: {{instance.imageid|default(ec2_imageid)}}
        InstanceType:  {{instance.instancetype|default(ec2_type)}}
        KeyName: {{ec2_keyname}}
        SourceDestCheck: {{instance.sourcedestcheck|default('true')}}
        Tags: 
          - { Key: Application, Value: !Ref "AWS::StackId"  }
          - { Key: Name, Value: {{vpc.name}}{{instance.name}}EC2Instance }
        NetworkInterfaces: 
          - GroupSet: [ !Ref {{vpc.name}}SecurityGroup ]
            DeviceIndex: 0
            DeleteOnTermination: true
            SubnetId: !Ref {{vpc.name}}{{instance.subnet}}Subnet
    {{vpc.name}}{{instance.name}}IPAddress: 
      Type: AWS::EC2::EIP
      DependsOn: {{vpc.name}}AttachGateway
      Properties: 
        Domain: vpc
        InstanceId: !Ref {{vpc.name}}{{instance.name}}EC2Instance
    {% endfor %}

    {% if vpc.vpn is defined %}
    {{vpc.vpn.name}}VPNGateway:
      Type: "AWS::EC2::VPNGateway"
      DependsOn: {{vpc.name}}VPC
      Properties:
        Type: ipsec.1
        Tags:
          - { Key: Name, Value: {{vpc.vpn.name}}VPNGateway }
    {{vpc.vpn.name}}VPCGatewayAttachment:
      Type: "AWS::EC2::VPCGatewayAttachment"
      DependsOn: {{vpc.name}}VPC
      Properties:
        VpcId: !Ref {{vpc.name}}VPC
        VpnGatewayId: !Ref {{vpc.vpn.name}}VPNGateway
    {% for gw in vpc.vpn.gateways %}
    {{vpc.name}}{{gw.name}}VPNConnection:
      Type: "AWS::EC2::VPNConnection"
      Properties:
        Type: ipsec.1
        CustomerGatewayId: !ImportValue {{gw.name}}
        StaticRoutesOnly: false
        VpnGatewayId: !Ref {{vpc.vpn.name}}VPNGateway
        Tags:
          - { Key: Name, Value: {{vpc.name}}{{gw.name}}VPNConnection }

    {% endfor %}
    {% endif %}

    {{vpc.name}}FlowLog:
      Type: "AWS::EC2::FlowLog"
      Properties:
        DeliverLogsPermissionArn : arn:aws:iam::{{aws_accounts[acc]}}:role/PublishFlowLogs
        LogGroupName : vpc-flow-logs
        ResourceId : !Ref {{vpc.name}}VPC
        ResourceType : VPC
        TrafficType : ALL

  Outputs:
    StackName:
      Value: !Ref AWS::StackName
    Regionname:
      Value: !Ref AWS::Region
    {{vpc.name}}VPC:
      Value: !Ref {{vpc.name}}VPC
      Export:
        Name: {{vpc.name}}VPC
    {{vpc.name}}PublicSecurityGroup: 
      Value: !Ref {{vpc.name}}PublicSecurityGroup
      Export:
        Name: {{vpc.name}}PublicSecurityGroup
    {{vpc.name}}PrivateSecurityGroup: 
      Value: !Ref {{vpc.name}}PrivateSecurityGroup
      Export:
        Name: {{vpc.name}}PrivateSecurityGroup
    {% for subnet in vpc.subnets %}
    {{vpc.name}}{{subnet.name}}Subnet: 
      Value: !Ref {{vpc.name}}{{subnet.name}}Subnet
      Export:
        Name: {{vpc.name}}{{subnet.name}}Subnet
    {% endfor %}
    {% for instance in vpc.instances %}
    {{vpc.name}}{{instance.name}}Private:
      Value: !GetAtt {{vpc.name}}{{instance.name}}EC2Instance.PrivateIp
    {{vpc.name}}{{instance.name}}Public:
      Value: !GetAtt {{vpc.name}}{{instance.name}}EC2Instance.PublicIp
    {% endfor %}
    {% if vpc.vpn is defined %}
    {% for gw in vpc.vpn.gateways %}
    {{vpc.name}}{{gw.name}}VPNConnection:
      Value: !Ref {{vpc.name}}{{gw.name}}VPNConnection
    {% endfor %}
    {% endif %}

the vpc.instances list would contain instance info (like when we deployed quagga and strongswan), but isn't important here.

get_aws_vpn_config role

Whoa, so this is probably where rolling your own module to extract the info would have been wize, but since I am half lazy, half inspired to see how much I can squeeze into 1 command line...

---
- block:
    - name: get the ip password combo for "{{vpn1}}"
      shell: >
        AWS_ACCESS_KEY_ID="{{ assumed_role.sts_creds.access_key | default(omit) }}"
        AWS_SECRET_ACCESS_KEY="{{ assumed_role.sts_creds.secret_key | default(omit) }}"
        AWS_SESSION_TOKEN="{{ assumed_role.sts_creds.session_token | default(omit) }}"
        aws ec2 describe-vpn-connections 
        | jq '.VpnConnections[] | select(.VpnConnectionId=="{{vpn1}}").CustomerGatewayConfiguration' -r 
        | xmlstarlet sel -t -m '/vpn_connection/ipsec_tunnel' 
        -v 'concat("cgw", position(), "_outside: ", ./customer_gateway/tunnel_outside_address/ip_address/text(), "!!!")'
        -v 'concat("cgw", position(), "_inside: ", ./customer_gateway/tunnel_inside_address/ip_address/text(), "!!!")' 
        -v 'concat("cgw", position(), "_asn: ", ./customer_gateway/bgp/asn/text(), "!!!")'
        -v 'concat("vgw", position(), "_outside: ", ./vpn_gateway/tunnel_outside_address/ip_address/text(), "!!!")'
        -v 'concat("vgw", position(), "_inside: ", ./vpn_gateway/tunnel_inside_address/ip_address/text(), "!!!")'
        -v 'concat("vgw", position(), "_asn: ", ./vpn_gateway/bgp/asn/text(), "!!!")'
        -v 'concat("psk", position(), ": ", ./ike/pre_shared_key/text(),"!!!")'
      register: vpnconfig
    - set_fact:
        awsvpn1: "{{('{ '+(vpnconfig.stdout_lines[0].split('!!!')|difference([''])|join(', '))+' }')|from_yaml}}"
    - debug: var=awsvpn1
    - name: get the ip password combo for "{{vpn2}}"
      shell: > 
        AWS_ACCESS_KEY_ID="{{ assumed_role.sts_creds.access_key | default(omit) }}"
        AWS_SECRET_ACCESS_KEY="{{ assumed_role.sts_creds.secret_key | default(omit) }}"
        AWS_SESSION_TOKEN="{{ assumed_role.sts_creds.session_token | default(omit) }}"
        aws ec2 describe-vpn-connections 
        | jq '.VpnConnections[] | select(.VpnConnectionId=="{{vpn2}}").CustomerGatewayConfiguration' -r 
        | xmlstarlet sel -t -m '/vpn_connection/ipsec_tunnel' 
        -v 'concat("cgw", position(), "_outside: ", ./customer_gateway/tunnel_outside_address/ip_address/text(), "!!!")'
        -v 'concat("cgw", position(), "_inside: ", ./customer_gateway/tunnel_inside_address/ip_address/text(), "!!!")' 
        -v 'concat("cgw", position(), "_asn: ", ./customer_gateway/bgp/asn/text(), "!!!")'
        -v 'concat("vgw", position(), "_outside: ", ./vpn_gateway/tunnel_outside_address/ip_address/text(), "!!!")'
        -v 'concat("vgw", position(), "_inside: ", ./vpn_gateway/tunnel_inside_address/ip_address/text(), "!!!")'
        -v 'concat("vgw", position(), "_asn: ", ./vpn_gateway/bgp/asn/text(), "!!!")'
        -v 'concat("psk", position(), ": ", ./ike/pre_shared_key/text(),"!!!")'
      register: vpnconfig
    - set_fact:
        awsvpn2: "{{('{ '+(vpnconfig.stdout_lines[0].split('!!!')|difference([''])|join(', '))+' }')|from_yaml}}"
    - debug: var=awsvpn2
  when: not absent is defined

This uses jq to find the relevant output from aws ec2 describe-vpn-connections and then xmlstarlet to extract the aws inside,outside ips,asn,and psk for both tunnels.

Once that is done... it creates the 2 variables we will use in the fortigate config in the next role

fortigate role

---
- name: remove the fortigate config
  block:
    - name: make the policy delete script
      shell: >
        echo 'config firewall policy' > "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        ssh -i "{{ssh_key}}" "{{ssh_uid}}@{{ssh_host}}" show firewall policy
        | grep "{{stack_name}}" -B 1
        | grep 'edit '
        | sed 's/.*edit /del /g' >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        echo end >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        echo 'config vpn ipsec phase2-interface' >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        ssh -i "{{ssh_key}}" "{{ssh_uid}}@{{ssh_host}}" show vpn ipsec phase2-interface
        | grep "{{stack_name}}" -B 1
        | grep 'edit '
        | sed 's/.*edit /del /g' >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        echo end >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        echo 'config vpn ipsec phase1-interface' >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        ssh -i "{{ssh_key}}" "{{ssh_uid}}@{{ssh_host}}" show vpn ipsec phase1-interface
        | grep "{{stack_name}}" -B 1
        | grep 'edit '
        | sed 's/.*edit /del /g' >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        echo end >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        echo 'config router bgp' >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        echo 'config neighbor ' >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        ssh -i "{{ssh_key}}" "{{ssh_uid}}@{{ssh_host}}" show router bgp
        | grep "{{stack_name}}" -B 2
        | grep 'edit "'
        | sed 's/.*edit /del /g' >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        echo end >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
        echo end >> "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh";
    - name: run the delete script
      shell: cat "./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.del.ssh" | ssh -i "{{ssh_key}}" "{{ssh_uid}}@{{ssh_host}}"
      register: delfortiout
    - debug: var=delfortiout
  when: absent is defined

- name: do fortigate config
  block:
  - name: get the tunnel list to see if it exists
    shell: "ssh -i {{ssh_key}} {{ssh_uid}}@{{ssh_host}} get ipsec tunnel list | grep -c {{stack_name}}T1P1"
    ignore_errors: true
    register: tunlist
  - block:
      - name: stampout "{{fwName}}"
        template: src=fortigate.ssh.j2 dest="./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.ssh"
      - name: run the tunnel script
        shell: "cat ./generated/vpc/{{stack_name}}.fortigate.{{fwName}}.ssh | ssh -i {{ssh_key}} {{ssh_uid}}@{{ssh_host}}"
        register: fortiout
      - debug: var=fortiout
    when: tunlist.stdout_lines[0] == '0'
  when: absent is not defined

The first fugly block is there to generate the delete scripts in case you are removing the vpc's config from the Fortigate firewalls

The second block is the create, if it doesn't exist, that makes an .ssh file and then cat it to the Fortigate firewall.

The template itself is basically a bunch of fortigate config statements provided by our resident Fortigate experts.

The Fortigates are pretty cool tools, you can put them in 'debug' mode and have them spit out a recording of what you do in its web interface. That can then be put into a jinja2 template and used like we do below.

config vpn ipsec phase1-interface
  edit "{{stack_name}}T1P1"
  set interface "port1"
  set local-gw "{{localip}}"
  set keylife 28800
  set peertype any
  set proposal aes128-sha1
  set dhgrp 2
  set remote-gw "{{config.vgw1_outside}}"
  set psksecret "{{config.psk1}}"
  set dpd-retryinterval 10
end

config vpn ipsec phase2-interface
  edit "{{stack_name}}T1P2"
  set phase1name "{{stack_name}}T1P1"
  set proposal aes128-sha1
  set dhgrp 2
  set keylifeseconds 3600
end

config system interface
  edit "{{stack_name}}T1P1"
  set vdom "root"
  set ip {{config.cgw1_inside}} 255.255.255.255
  set allowaccess ping
  set type tunnel
  set tcp-mss 1379
  set remote-ip {{config.vgw1_inside}}
  set interface "port1"
end

config vpn ipsec phase1-interface
  edit "{{stack_name}}T2P1"
  set interface "port1"
  set local-gw "{{localip}}"
  set keylife 28800
  set peertype any
  set proposal aes128-sha1
  set dhgrp 2
  set remote-gw "{{config.vgw2_outside}}"
  set psksecret "{{config.psk2}}"
  set dpd-retryinterval 10
end

config vpn ipsec phase2-interface
  edit "{{stack_name}}T2P2"
  set phase1name "{{stack_name}}T2P1"
  set proposal aes128-sha1
  set dhgrp 2
  set keylifeseconds 3600
end

config system interface
  edit "{{stack_name}}T2P1"
  set vdom "root"
  set ip {{config.cgw2_inside}} 255.255.255.255
  set allowaccess ping
  set type tunnel
  set tcp-mss 1379
  set remote-ip {{config.vgw2_inside}}
  set interface "port1"
end

config router bgp
  config neighbor
  edit "{{config.vgw1_inside}}"
  set soft-reconfiguration enable
  set description "{{stack_name}}T1"
  set remote-as {{config.vgw1_asn}}
  {% if setmetrix is defined %}
  set route-map-out "Set-Metrix"
  {% endif %}
  next
  edit "{{config.vgw2_inside}}"
  set soft-reconfiguration enable
  set description "{{stack_name}}T2"
  set remote-as {{config.vgw2_asn}}
  {% if setmetrix is defined %}
  set route-map-out "Set-Metrix"
  {% endif %}
  end
end

config firewall policy
  edit 0
  set name "{{stack_name}}T1P1-f"
  set srcintf "{{stack_name}}T1P1"
  set dstintf "port1"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
end

config firewall policy
  edit 0
  set name "f-{{stack_name}}T1P1"
  set srcintf "port1"
  set dstintf "{{stack_name}}T1P1"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
  set comments "Reverse of {{stack_name}}T1P1-f"
end

config firewall policy
  edit 0
  set name "{{stack_name}}T2P1-f"
  set srcintf "{{stack_name}}T2P1"
  set dstintf "port1"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
end

config firewall policy
  edit 0
  set name "f-{{stack_name}}T2P1"
  set srcintf "port1"
  set dstintf "{{stack_name}}T2P1"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
  set comments "Reverse of {{stack_name}}T2P1-f"
end

config firewall policy
  edit 0
  set name "{{stack_name}}T1P1-s"
  set srcintf "{{stack_name}}T1P1"
  set dstintf "ssl.root"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
end

config firewall policy
  edit 0
  set name "s-{{stack_name}}T1P1"
  set srcintf "ssl.root"
  set dstintf "{{stack_name}}T1P1"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
  set comments "Reverse of {{stack_name}}T1P1-s"
end

config firewall policy
  edit 0
  set name "{{stack_name}}T2P1-s"
  set srcintf "{{stack_name}}T2P1"
  set dstintf "ssl.root"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
end

config firewall policy
  edit 0
  set name "s-{{stack_name}}T2P1"
  set srcintf "ssl.root"
  set dstintf "{{stack_name}}T2P1"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
  set comments "Reverse of {{stack_name}}T2P1-s"
end

config firewall policy
  edit 0
  set name "{{stack_name}}T1P1-h"
  set srcintf "{{stack_name}}T1P1"
  set dstintf "{{hubName}}"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
end

config firewall policy
  edit 0
  set name "h-{{stack_name}}T1P1"
  set srcintf "{{hubName}}"
  set dstintf "{{stack_name}}T1P1"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
end

config firewall policy
  edit 0
  set name "{{stack_name}}T2P1-h"
  set srcintf "{{stack_name}}T2P1"
  set dstintf "{{hubName}}"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
end

config firewall policy
  edit 0
  set name "h-{{stack_name}}T2P1"
  set srcintf "{{hubName}}"
  set dstintf "{{stack_name}}T2P1"
  set srcaddr "all"
  set dstaddr "all"
  set action accept
  set schedule "always"
  set service "ALL"
end

The script configures:

  • the 2 phases of the 2 ip tunnels,
  • creates the interface for it,
  • configures the bgp neighbors
  • creates the forward and reverse policies to:

    • the firewall itself
    • an ssl client vpn
    • the dc's