Description:
This article describes that traffic from AWS LAN hosts toward remote site via IPsec tunnel does not reach FortiGate VM deployed in AWS as EC2 instance.
Scope:
(PC1)----------(Firewall)==========IPSEC TUNNEL============(FortiGate in AWS)-----------(PC2)
When on PC 2, ping traffic is initiated to PC1, it does not reach the FortiGate in AWS.
In addition, traffic from PC1 only reaches PC2 if NAT is enabled on the FortiGate in AWS.
Solution:
1) Go to the EC2 dashboard in the AWS Management console.
2) Check mark the EC2 instance which has the FortiGate AMI loaded and go to the networking section.
3) Scroll down to the network interfaces and locate the network interface which has the same IP as the Lan port of the FortiGate VM.
In this example, port2 has an IP of 10.0.1.100/24.
The AWS ENI also has the same IP(PrivateENI).
4) Select the interface ID on the PrivateENI entry. Once the Network Interface settings are open, check the box and select actions, then choose Change source/destination check and select it.
5) Once that option is selected a pop-up will appear with the source destination check enabled.
By default, it is enabled and it prevents that interface in AWS from receiving any packets other than the destination IP of the interface IP itself.
This Feature will drop any packets hitting the LAN interface of the FortiGate with the destination IP other than the Interface IP.
(S: 10.1.1.1 ,D:10.1.10.1)------------------------------>(10.1.10.1)AWS ENI---> Packet is allowed.
(S: 10.1.1.1 ,D:10.1.10.10)------------------------------>(10.1.10.1)AWS ENI--->Packet is dropped.
Disabling it will allow the second packet in the example above to pass through.
6) Uncheck the setting, then save the settings and now the FortiGate VM can receive traffic from the local subnet without NAT being required for traffic coming from peer units.
Related document:
