Fortigate 200D (v5.6.2) IPSec VPN to AWS. Traffic makes it to EC2 but not back.

Hi Paul,

Thank you for the response. I will answer your questions first then follow up with the complete CLI configuration.

1. 192.168.241.142 is the AWS VPC subnet

2. In the log you referred to I have "diag flow" enabled and filtering on one of the VPN endpoints (169.254.44.186 & 185)

3. From the log below, I understand that the fortigate figured that the ssh command to  192.168.241.142  is to be routed to the VPN interface vpn-23766442-1 then it says sending through the physical default route of  66.162.199.129 thru wan1. Am I correct? The follow up post has the full diag flow trace logs for ping and ssh.

Log:

id=20085 trace_id=2273 func=ipsecdev_hard_start_xmit line=144 msg="enter IPsec interface-vpn-23766442-1" id=20085 trace_id=2273 func=esp_output4 line=1174 msg="IPsec encrypt/auth" id=20085 trace_id=2273 func=ipsec_output_finish line=534 msg="send to 66.162.199.129 via intf-wan1"

Complete CLI config on fortigate follows. (version 5.6.2). Please note I made changes to update the setting to work with v5.6.2:

! Amazon Web Services ! Virtual Private Cloud

! AWS utilizes unique identifiers to manipulate the configuration of ! a VPN Connection. Each VPN Connection is assigned an identifier and is ! associated with two other identifiers, namely the ! Customer Gateway Identifier and Virtual Private Gateway Identifier. ! ! Your VPN Connection ID : vpn-23766442 ! Your Virtual Private Gateway ID : vgw-28da3041 ! Your Customer Gateway ID : cgw-3720ca5e ! ! ! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway. ! ! -------------------------------------------------------------------------------- ! IPSec Tunnel #1 ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! ! Configuration begins in root VDOM.

config vpn ipsec phase1-interface edit vpn-23766442-0 ! Name must be shorter than 15 chars, best if shorter than 12 set interface "wan1"

! The IPSec Dead Peer Detection causes periodic messages to be ! sent to ensure a Security Association remains operational

set dpd enable set local-gw 66.x.x.x set dhgrp 2 set proposal aes128-sha1 set keylife 28800 set remote-gw 34.232.188.255 set psksecret pV5rbsXlyhWYLWEXB.gkmS56nMktjEMB set dpd-retryinterval 10 next end

! #2: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters. ! ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.

config vpn ipsec phase2-interface edit "vpn-23766442-0" set phase1name "vpn-23766442-0" set proposal aes128-sha1 set dhgrp 2 set pfs enable set keylifeseconds 3600 next

! -------------------------------------------------------------------------------- ! #3: Tunnel Interface Configuration ! ! A tunnel interface is configured to be the logical interface associated ! with the tunnel. All traffic routed to the tunnel interface will be ! encrypted and transmitted to the VPC. Similarly, traffic from the VPC ! will be logically received on this interface. ! ! ! The address of the interface is configured with the setup for your ! Customer Gateway. If the address changes, the Customer Gateway and VPN ! Connection must be recreated with Amazon VPC. ! Perform this from the Global VDOM.

config global config system interface edit "vpn-23766442-0" set vdom "root" set ip 169.254.47.46 255.255.255.255 set allowaccess ping set type tunnel

! This option causes the router to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. ! set tcp-mss 1379 set remote-ip 169.254.47.45 ??? set mtu 1427 set interface "wan1" next

! ---------------------------------------------------------------------------- ! #4 Static Route Configuration ! ! Your Customer Gateway needs to set a static route for the prefix corresponding to your ! VPC to send traffic over the tunnel interface. ! An example for a VPC with the prefix 10.0.0.0/16 is provided below: ! ! Configuration begins in root VDOM. ! First obtain the numbered list of static routes in use:

config vdom edit root show router static

! This will have entries for edit 1, edit 2, etc., showing the device, destination, and gateway for each static route configured. You need to use an unused routing entry for the static route into your VPC. So for example if there were routes 1, 2, and 3, then you would edit 4 below:

config router static edit 4 set device "vpn-23766442-0" set dst 192.168.241.142 255.255.0.0 next end

! Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the ! tunnels, we would want to failover the traffic to the second tunnel. This is done by using "gwdetect" in fortigate. ! The gwdetect command will ping the other end of the tunnel to check if the tunnel is up. If the pings fail, it will ! remove the static route from the routing table, and the second route in the table will become active. ! ! The following config will tell the Fortigate device what IP it should ping to test the tunnel. This IP should be ! the inside IP address of the virtual private gateway.

FMU-FW-02 # config system link-monitor

FMU-FW-02 (link-monitor) # edit 1 new entry '1' added

FMU-FW-02 (1) # set srcintf "vpn-23766442-0"

FMU-FW-02 (1) # set server "169.254.47.45"

FMU-FW-02 (1) # set interval 2

FMU-FW-02 (1) # set failtime 5

FMU-FW-02 (1) # next

FMU-FW-02 (link-monitor) # end

FMU-FW-02 # config system link-monitor

FMU-FW-02 (link-monitor) # show config system link-monitor edit "1" set srcintf "vpn-23766442-0" set server "169.254.47.45" set interval 2 next end

! ---------------------------------------------------------------------------- ! #5 Firewall Policy Configuration ! ! Create a firewall policy permitting traffic from your local subnet to the VPC subnet and vice versa ! ! This example policy permits all traffic from the local subnet to the VPC ! First, find the policies that exist ! Configuration begins in root VDOM.

config vdom edit root show firewall policy

! Next, create a new firewall policy starting with the next available policy ID. If policies 1, 2, 3, and 4 were shown, then in this example the policy created starts at 5

config firewall policy edit 5 set srcintf "vpn-23766442-0" set dstintf "internal" ! This is the interface out which your local LAN resides set srcaddr all set dstaddr all set action accept set schedule always set service ALL next end

! Now create a policy to permit traffic going the other way

config firewall policy edit 6 set srcintf internal ! This is the interface out which your local LAN resides set dstintf "vpn-23766442-0" set srcaddr all set dstaddr all set action accept set schedule always set service ALL next end

! -------------------------------------------------------------------------------- ! IPSec Tunnel #2 ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! ! Configuration begins in root VDOM.

config vpn ipsec phase1-interface edit vpn-23766442-1 ! Name must be shorter than 15 chars, best if shorter than 12 set interface "wan1"

! The IPSec Dead Peer Detection causes periodic messages to be ! sent to ensure a Security Association remains operational

set dpd enable ### set dpd on-demand set local-gw 66.x.x.x set dhgrp 2 set proposal aes128-sha1 set keylife 28800 set remote-gw 52.86.222.130 set psksecret k3Z8Q8K1L3MUClD1MbaPQNNSrffFRS5K set dpd-retryinterval 10 next

### end

! #2: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters. ! ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.

config vpn ipsec phase2-interface edit "vpn-23766442-1" set phase1name "vpn-23766442-1" set proposal aes128-sha1 set dhgrp 2 set pfs enable set keylifeseconds 3600 next end

! -------------------------------------------------------------------------------- ! #3: Tunnel Interface Configuration ! ! A tunnel interface is configured to be the logical interface associated ! with the tunnel. All traffic routed to the tunnel interface will be ! encrypted and transmitted to the VPC. Similarly, traffic from the VPC ! will be logically received on this interface. ! ! ! The address of the interface is configured with the setup for your ! Customer Gateway. If the address changes, the Customer Gateway and VPN ! Connection must be recreated with Amazon VPC. ! Perform this from the Global VDOM.

config global config system interface edit "vpn-23766442-1" set vdom "root" set ip 169.254.44.186 255.255.255.255 set allowaccess ping set type tunnel

! This option causes the router to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. ! set tcp-mss 1379 set remote-ip 169.254.44.185 ??? set mtu 1427 set interface "wan1" next

### endconfig

! ---------------------------------------------------------------------------- ! #4 Static Route Configuration ! ! Your Customer Gateway needs to set a static route for the prefix corresponding to your ! VPC to send traffic over the tunnel interface. ! An example for a VPC with the prefix 10.0.0.0/16 is provided below: ! ! Configuration begins in root VDOM. ! First obtain the numbered list of static routes in use:

### below is only for listing static routes. Syntax does not work on v6.3

config vdom edit root show router static

! This will have entries for edit 1, edit 2, etc., showing the device, destination, and gateway for each static route configured. You need to use an unused routing entry for the static route into your VPC. So for example if there were routes 1, 2, and 3, then you would edit 4 below:

config router static edit 4 set device "vpn-23766442-1" set dst 192.168.0.0 255.255.0.0 next end

! Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the ! tunnels, we would want to failover the traffic to the second tunnel. This is done by using "gwdetect" in fortigate. ! The gwdetect command will ping the other end of the tunnel to check if the tunnel is up. If the pings fail, it will ! remove the static route from the routing table, and the second route in the table will become active. ! ! The following config will tell the Fortigate device what IP it should ping to test the tunnel. This IP should be ! the inside IP address of the virtual private gateway.

### Version 6.3:

FMU-FW-02 # config system link-monitor

FMU-FW-02 (link-monitor) # edit 2 new entry '1' added

FMU-FW-02 (1) # set srcintf "vpn-23766442-1"

FMU-FW-02 (1) # set server "169.254.44.185"

FMU-FW-02 (1) # set interval 2

FMU-FW-02 (1) # set failtime 5

FMU-FW-02 (1) # next

FMU-FW-02 (link-monitor) # end

### Version 5.x

config vdom edit root config router gwdetect edit 1 set interface "vpn-23766442-1" set server "169.254.44.185" ! Using the following command, you can set the interval and failtime for gwdetect. Interval is number of seconds ! between pings. Failtime is the number of lost consecutive pings.Using the respective values of 2 and 5, your tunnel ! will failover in 10 seconds. ! set interval 2 set failtime 5 next end

! ---------------------------------------------------------------------------- ! #5 Firewall Policy Configuration ! ! Create a firewall policy permitting traffic from your local subnet to the VPC subnet and vice versa ! ! This example policy permits all traffic from the local subnet to the VPC ! First, find the policies that exist ! Configuration begins in root VDOM.

config vdom edit root show firewall policy

! Next, create a new firewall policy starting with the next available policy ID. If policies 1, 2, 3, and 4 were shown, then in this example the policy created starts at 5

config firewall policy edit 5 set srcintf "vpn-23766442-1" set dstintf "internal" ! This is the interface out which your local LAN resides set srcaddr all set dstaddr all set action accept set schedule always set service ALL next end

! Now create a policy to permit traffic going the other way

config firewall policy edit 6 set srcintf internal ! This is the interface out which your local LAN resides set dstintf "vpn-23766442-1" set srcaddr all set dstaddr all set action accept set schedule always set service ALL next end