• If FortiGate is configured with multiple phase2 selectors, it will work fine with AWS VPN before v7.4.2.
• After v7.4.2 or above, there will be intermittent traffic issues between AWS and FortiGate through the VPN.
• The reason is that AWS will be sending the traffic through the phase2 selectors randomly whenever there are multiple phase2 selectors configured for the VPN tunnel.
• When the traffic not reaching from AWS to local, we can see the debug flow showing the error below:

id=65308 trace_id=20320 func=ipsec_spoofed4 line=245 msg="src ip 10.100.1.38 mismatch selector 0 range 169.254.189.57-169.254.189.57"

id=65308 trace_id=20320 func=ipsec_input4 line=289 msg="anti-spoof check failed, drop"

• This shows that the traffic coming from AWS is matching a wrong phase2 selector and hence it failed the anti-spoof check.
• Further, by capturing the ESP packet and performing a decryption, AWS is sending the packet to the wrong SA hence when the packet arrives at FortiGate. It matches against the wrong selectors.
• To resolve this issue, we need to follow the configuration suggested by the AWS VPN configuration template. This template can be downloaded from AWS once configure the VPN.
• In the template, is state that for AWS VPN, configure only 1 phase2, which is 0.0.0.0/0. And if checking on AWS VPN settings, any option to configure multiple phase2 is visible.
• In conclusion, for AWS VPN, only single phase2 should be configured by following their recommended setting, quoted below:

! #2: IPSec Configuration

Under Phase 2 Selectors --> New Phase 2

           Name:  vpn-xxxx

           Local Address: LAN subnet behind Fortigate/0.0.0.0/0

           Remote Address: AWS Private Subnet/0.0.0.0/0