Skip to main content
Navs
Navs
New Member
June 25, 2019
Question

AWS VPN issues

  • June 25, 2019
  • 2 replies
  • 7297 views

Hi all

 

I am trying to setup a VPN tunnel from my 100E (6.0.4) to AWS.  The AWS setup was completed and a config file for fortigate downloaded, albeit a version 5.x one).  I have followed the instructions and the VPN tunnel is showing as UP on the AWS end and its also showing as UP under the Fortigate > IPSEC monitor > Phase 2 selectors. So far so good.

 

Another part of the setup asks for me to setup 169 addresses on the new VPN interface created, so that has been setup as below.  However i cant ping the remote end 169.254.66.97 from the firewall which i assume i should be able to as it will be used for link monitoring.

 

config system interface edit "vpn-c135b8747-0" set vdom "root" set ip 169.254.66.98 255.255.255.255 set allowaccess ping set type tunnel set tcp-mss 1379 set remote-ip 169.254.66.97 255.255.255.252 set snmp-index 38 set interface "port16" next end

 

Also a static route i configured, following the AWS instructions, pointing 172.20.0.0/22 to interface vpn-c135b8747-0 also doesn't make it into the routing table.

 

edit 9 set dst 172.20.0.0 255.255.252.0 set device "vpn-c135b8747-0" next

 

I have also created the policies to allow traffic to pass, any help would be appreciated.

    2 replies

    hubertzw
    hubertzw
    New Member
    June 25, 2019

    Navs wrote:

    set ip 169.254.66.98 255.255.255.255

    ...

    set remote-ip 169.254.66.97 255.255.255.252

    try with the same masks

    Navs
    NavsAuthor
    New Member
    June 28, 2019

    Hi

     

    I did try messing around with the masks, tries a /32 tried a /31, didnt make a difference, i dont think you can edit the mask on the local IP, no option in the GUI.  

     

    However, after some debugging i noticed that the reason i couldnt ping the remote ip 169.254.66.97 was because i hadn't included it in the phase 2 selectors. Once added i could ping the remote IP, static route went into the routing table and i could ping my AWS instance.

     

     

    kctesting77
    kctesting77
    New Member
    October 19, 2020

    Hi Navs,

     

    I have the exact same issue where cannot PING the AWS Inside Peer IP address from any of the Tunnels...everything else works fine but I need this for Monitoring purposes.

    I did the /30 /31...no joy & I have the 169.* subnets in Phase 2 on Fortigate and even added a Static Route.

    I do not control the AWS side but all looks like yours on Fortigate. 

    armen23
    armen23
    New Member
    January 15, 2022

    Use MTR to check for ICMP or TCP parcel misfortune and inactivity
    MTR gives a nonstop refreshed result that permits you to examine network execution after some time. It consolidates the usefulness of traceroute and ping in a solitary organization indicative apparatus.

    Introduce the MTR network instrument on your EC2 occasion in the VPC to check for ICMP or TCP parcel misfortune and idleness.

    Amazon Linux:

    sudo yum introduce mtr
    Ubuntu:

    sudo well-suited get introduce mtr

    Run the accompanying tests between the private and public IP address for your EC2 examples and on-premises have bi-directionally. The way between hubs on a TCP/IP organization can alter when the course is switched. It's a best practice to get MTR results bi-directionally.

    Note:

    Ensure that the security gathering and NACL rules permit ICMP traffic from the source example.
    Ensure that the test port is open on the objective example, and the security gathering and NACL rules permit traffic from the source on the convention and port.
    The TCP-based outcome decide whether there is application-put together bundle misfortune or dormancy with respect to the association. MTR form 0.85 and higher have the TCP choice.

    Private IP EC2 occurrence on-premises have reported:

    mtr - n - c 200
    Private IP EC2 case on-premises have report:

    mtr - n - T - c 200 - P 443 - m 60
    Public IP EC2 example on-premises have report:

    mtr - n - c 200
    Public IP EC2 example on-premises have report:

    mtr - n - T - c 200 - P 443 - m 60

    AWS classes in Pune provides services from dozens of information centers unfold across handiness zones (AZs) in regions across the earth. associate degree AZ could be a position that contains multiple physical knowledge centers. a section could be a assortment of AZs in geographic contiguity connected by low- quiescence network links.

    For More Information visit: AWS Training in Pune

    Terms & ConditionsAccessibility statement