One way ping site-to-site AWS vpn tunnel

Question

For a client, I am trying to setup a vpn site-to-site from a local Fortigate 200F, firmware 7.2.3, to the AWS site-to-site connectors.

I succeded to make it so I could ping from AWS to a local machine, but ping from a local machine to a AWS machine would not work.

How I did it and config

I went in the docs of AWS and Fortinet, followed them, then downloaded the IKDv2 configuration file, followed the instructions, and it was pretty smooth for those parts.*

Fortigate Network IPSEC tunnels section here:

Fortigate routes here:

*In this post, I'll only talk about one tunnel, and I'll ask the community about the two tunnels failover in another post.

So the route on AWS side are working and I suspect that the AWS side is not the cause here:

My Firewall policies are there:

And If I DENY my AWS VPN to the local LAN, the pings from AWS to local LAN stops, so this is proof that that direction goes by the Firewall.

If I reverse that by putting "AWSVPN to LAN" to ACCEPT, and "LAN to ASWS VPN" to DENY, there is no difference to my problem obliviously.

Any hint in the right direction would be apreciated! Thanks.

AlexandreP · Accepted Answer

Thanks. I'll probably go the Forti-VM to Fortigate way. I have a similar setup right now with my current Peplink router. And of course, when you connect vendor1 to vendor1 routers, problems go away ;)

distillednetwork · Answer

The best thing to do would be to run a flow filter to determine what is happening. Try running the following in the cli:

diag debug flow filter addr <ip of aws machine>

diag debug flow filter proto 1

diag debug enable

diag debug flow trace start 20

perform your ping test from a lan PC to the AWS machine and see what the logs show it is doing with the traffic.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded