|
If FortiGate is misconfigured with multiple phase2 selectors on the IPsec tunnel to AWS VPN, there might be no obvious issue with AWS VPN before upgrade.
After upgrading to FortiOS v7.2.12, v7.4.2 or later, intermittent traffic issues on the VPN between AWS and FortiGate are expected. This occurs because AWS does not respect phase2 selectors when sending the traffic through a VPN, and will send traffic on either selector regardless of source IP address.
When packets from AWS side are dropped by the FortiOS anti-spoof feature, a debug flow shows the error below:
diagnose debug flow filter addr 10.100.1.38
diagnose debug enable
diagnose debug flow trace start 100
{...}
id=65308 trace_id=20320 func=ipsec_spoofed4 line=245 msg="src ip 10.100.1.38 mismatch selector 0 range 169.254.189.57-169.254.189.57"
id=65308 trace_id=20320 func=ipsec_input4 line=289 msg="anti-spoof check failed, drop"
This indicates that the traffic coming from AWS was sent with a wrong SA SPI matching the incorrect phase2 selector and hence it failed the anti-spoof check.
Resolution:
Configure a single 'all zeroes' phase2 selector on the tunnel, as recommended by the AWS VPN configuration template. This template can be downloaded from AWS after configuring the VPN.
As stated in the template, configure only 1 phase2, which is 0.0.0.0/0. There is no option to configure multiple phase2 selectors on the AWS side, see third-party documentation AWS Site-to-Site User Guide: Modify AWS Site-to-Site VPN connection options.
#2: IPSec Configuration
Under Phase 2 Selectors --> New Phase 2
Name: vpn-xxxx
Local Address: LAN subnet behind Fortigate/0.0.0.0/0
Remote Address: AWS Private Subnet/0.0.0.0/0
AWS VPN is route-based, and FortiOS IPsec VPN is route-based by default. It is recommended to use routing rather than phase2 selectors to add specificity to traffic which should be sent over the tunnel.
Related article:
Technical Tip: IPsec VPN traffic dropped as 'anti-spoof check failed, drop' after the upgrade to v7....
|
