Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Navs
New Contributor

AWS VPN issues

Hi all

 

I am trying to setup a VPN tunnel from my 100E (6.0.4) to AWS.  The AWS setup was completed and a config file for fortigate downloaded, albeit a version 5.x one).  I have followed the instructions and the VPN tunnel is showing as UP on the AWS end and its also showing as UP under the Fortigate > IPSEC monitor > Phase 2 selectors. So far so good.

 

Another part of the setup asks for me to setup 169 addresses on the new VPN interface created, so that has been setup as below.  However i cant ping the remote end 169.254.66.97 from the firewall which i assume i should be able to as it will be used for link monitoring.

 

config system interface edit "vpn-c135b8747-0" set vdom "root" set ip 169.254.66.98 255.255.255.255 set allowaccess ping set type tunnel set tcp-mss 1379 set remote-ip 169.254.66.97 255.255.255.252 set snmp-index 38 set interface "port16" next end

 

Also a static route i configured, following the AWS instructions, pointing 172.20.0.0/22 to interface vpn-c135b8747-0 also doesn't make it into the routing table.

 

edit 9 set dst 172.20.0.0 255.255.252.0 set device "vpn-c135b8747-0" next

 

I have also created the policies to allow traffic to pass, any help would be appreciated.

4 REPLIES 4
hubertzw
Contributor III

Navs wrote:

set ip 169.254.66.98 255.255.255.255

...

set remote-ip 169.254.66.97 255.255.255.252

try with the same masks

Navs
New Contributor

Hi

 

I did try messing around with the masks, tries a /32 tried a /31, didnt make a difference, i dont think you can edit the mask on the local IP, no option in the GUI.  

 

However, after some debugging i noticed that the reason i couldnt ping the remote ip 169.254.66.97 was because i hadn't included it in the phase 2 selectors. Once added i could ping the remote IP, static route went into the routing table and i could ping my AWS instance.

 

 

kctesting77

Hi Navs,

 

I have the exact same issue where cannot PING the AWS Inside Peer IP address from any of the Tunnels...everything else works fine but I need this for Monitoring purposes.

I did the /30 /31...no joy & I have the 169.* subnets in Phase 2 on Fortigate and even added a Static Route.

I do not control the AWS side but all looks like yours on Fortigate. 

armen23
New Contributor

Use MTR to check for ICMP or TCP parcel misfortune and inactivity
MTR gives a nonstop refreshed result that permits you to examine network execution after some time. It consolidates the usefulness of traceroute and ping in a solitary organization indicative apparatus.

Introduce the MTR network instrument on your EC2 occasion in the VPC to check for ICMP or TCP parcel misfortune and idleness.

Amazon Linux:

sudo yum introduce mtr
Ubuntu:

sudo well-suited get introduce mtr

Run the accompanying tests between the private and public IP address for your EC2 examples and on-premises have bi-directionally. The way between hubs on a TCP/IP organization can alter when the course is switched. It's a best practice to get MTR results bi-directionally.

Note:

Ensure that the security gathering and NACL rules permit ICMP traffic from the source example.
Ensure that the test port is open on the objective example, and the security gathering and NACL rules permit traffic from the source on the convention and port.
The TCP-based outcome decide whether there is application-put together bundle misfortune or dormancy with respect to the association. MTR form 0.85 and higher have the TCP choice.

Private IP EC2 occurrence on-premises have reported:

mtr - n - c 200
Private IP EC2 case on-premises have report:

mtr - n - T - c 200 - P 443 - m 60
Public IP EC2 example on-premises have report:

mtr - n - c 200
Public IP EC2 example on-premises have report:

mtr - n - T - c 200 - P 443 - m 60

AWS classes in Pune provides services from dozens of information centers unfold across handiness zones (AZs) in regions across the earth. associate degree AZ could be a position that contains multiple physical knowledge centers. a section could be a assortment of AZs in geographic contiguity connected by low- quiescence network links.

For More Information visit: AWS Training in Pune

Armen Edvard
Armen Edvard
Labels
Top Kudoed Authors