Skip to main content
dnick
dnick
New Member
May 7, 2019
Solved

Site to Site VPN to AWS VPC

  • May 7, 2019
  • 2 replies
  • 8697 views

I have a site to site VPN setup from Fortigate 200D too AWS VPC. The tunnels are up and active but I cannot seem to get the routing correct.

We are wanting all non-local traffic to go through the VPN tunnel to AWS. No matter what change I make traffice goes out the wan!.  I stand corrected if I edit the static default route to use the VPN interface instead of the WAN ports the tunnels go down.

 

 

   next
    edit "AWS VPN"
        set vdom "VDOM-A"
        set ip 169.254.47.154 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 169.254.47.153
        set snmp-index 19
        set interface "port1"
    next
    edit "AWS VPN 2"
        set vdom "VDOM-A"
        set ip 169.254.45.246 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 169.254.45.245
        set snmp-index 20
        set interface "port1"
    next

My Tunnels are setup as follow
config vpn ipsec phase1-interface
    edit "AWS VPN"
        set interface "port1"
        set keylife 28800
        set peertype any
        set proposal aes128-sha1
        set dhgrp 2
        set remote-gw 3.85.156.247
        set psksecret ENC PJpv/i53ceAXe8BOYrILtfAH6YVwgswMbckKMF/h7QnySTOBFi0dE0TSmZXZM03PG/tKjvFiPKRcwDJprN7SAvpmXWMbRw6ct0kvYISQ/dB3MANTpCnM0tU7k+y1WqsxRoYT5ytMHKVQN4zPgl81PdApw3lLCBs3JTtiUXQveRBMHgZHsy3A29l6VaZA8KnJfg+tYw==
    next
    edit "AWS VPN 2"
        set interface "port1"
        set keylife 28800
        set peertype any
        set proposal aes128-sha1
        set dhgrp 2
        set nattraversal disable
        set remote-gw 34.204.21.180
        set psksecret ENC 9u9RClwiMZOKCxraZHByC00S8HqmmxVhpspElSwGahDAWa9x7LwA4vcF0lOiYA/ClXoK6on9WlOHX19nqTQwbnnOdHcZd/0dVSu50F2dv8T1VXcrEgYDpE8cciOJThDU9UrgpjWbt9ImUohC2qNfpHmyk/sztTpagRQ+JCzWSOe5nreayJOPHaYsnTbIq+4DcxxaQA==
    next
    config vpn ipsec phase2-interface
    edit "AWS VPN"
        set phase1name "AWS VPN"
        set proposal aes128-sha1
        set dhgrp 2
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 10.41.5.0 255.255.255.0
        set dst-subnet 10.99.10.0 255.255.255.0
    next
    edit "AWS VPN 2"
        set phase1name "AWS VPN 2"
        set proposal aes128-sha1
        set dhgrp 2
        set keepalive enable
        set keylifeseconds 3600
        set src-subnet 10.41.5.0 255.255.255.0
        set dst-subnet 10.99.10.0 255.255.255.0
    next
end

config system link-monitor
    edit "AWS1VPNFO"
        set srcintf "AWS VPN"
        set server "169.254.47.153"
        set interval 2
    next
    edit "AWS2VPNFO"
        set srcintf "AWS VPN 2"
        set server "169.254.45.245"
        set interval 2
    next
end

static routes
 next
    edit 6
        set dst 10.99.0.0 255.255.0.0
        set priority 1
        set device "AWS VPN"
    next
    edit 7
        set dst 10.99.0.0 255.255.0.0
        set priority 1
        set device "AWS VPN 2"
    next
end

config router policy
    edit 1
        set input-device "port2"
        set src "10.41.5.0/255.255.255.0"
        set dst "0.0.0.0/0.0.0.0"
        set output-device "AWS VPN"
    next
    edit 2
        set input-device "port2"
        set src "10.41.5.0/255.255.255.0"
        set dst "0.0.0.0/0.0.0.0"
        set output-device "AWS VPN 2"
    next
end

 

 

The policy routes are completely ignore for some reason and everything reverts back to the default static route.

Any help would be much appreciated.

 

    Best answer by Toshi_Esumi

    I don't know anything specific about AWS VPCs. But to route all traffic, generally internet-bound, into a tunnel, you need to have a default route into the tunnel. Not a policy route. You need to set a specific static route, generally a /32 route, toward wan1 for VPN peer so that the VPN still comes up.

    Since you have two VPNs, depending on how you want to utilize two connections, primary-backup, load-balance, etc., you might want to use either different distance, equal distance w/ different priority, or load-balance for those two static default routes. 

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_EsumiAnswer
    SuperUser
    May 7, 2019

    I don't know anything specific about AWS VPCs. But to route all traffic, generally internet-bound, into a tunnel, you need to have a default route into the tunnel. Not a policy route. You need to set a specific static route, generally a /32 route, toward wan1 for VPN peer so that the VPN still comes up.

    Since you have two VPNs, depending on how you want to utilize two connections, primary-backup, load-balance, etc., you might want to use either different distance, equal distance w/ different priority, or load-balance for those two static default routes. 

    dnick
    dnickAuthor
    New Member
    May 7, 2019

    I attached screenshot .. so the 0.0.0.0 gateway would go to one of the tunnel interfaces?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 8, 2019

    Yes, in CLI they would look like below. The destination 0.0.0.0/0 is the default "dst" value so you wouldn't see it. Also the default distance is 10 and default priority is 0 (highest), which you don't see either. So if you want to change one of them to have a lower priority, you can configure like below. If you use priority insterad of distance, both default routes show in the routing table, as long as the tunnels are up, but outgoing sessions always use the priority 0 side, but still can receive packets and create incomeing sessions on the priority 10 side. You can play around this to understand the behaviors with those metrics.

    Just don't forget to set another set of /32 routes to port1 to keep tunnels up.

     

    config router static

      edit x

        set device "AWS VPN"

      next

      edit y

        set device "AWS VPN2"

        set priority 10

      next

    end

     

    hostus
    hostus
    New Member
    October 30, 2023

    Also, you might want to check NAT configuration. You will need to deny NAT from the firewall policy.

    Terms & ConditionsAccessibility statement