Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Site-to-site VPN traffic issues to AWS VPC

I have inherited a Fortigate 60E running 5.4.4.  I am attempting to setup a VPN connection to a AWS VPC (setup with instructions from .  I have established the connection and the tunnel is up.  I can ping from an EC2 instance in the VPC to devices in my local office.  However, I cannot ping items in the VPC from my local office.  When trying to do a tracert, it doesn't even make one hop before failing (as if traffic is not routing from the local subnet to the AWS subnet).  Pinging the public IP is successful.  Unfortunately, I am not that familiar with the fortiOS which is making things more challenging as it is not very intuitive to me.


I have static routes configured to hit the AWS subnet

I've been trying some different IPv4 policy setting to no avail

phase2 on the VPN is set to for both local and remote.


I am at a loss as to where to look next.  Any guidance would be apprciated.






Valued Contributor

There are quite a few things that cause such behavior, hard to say without seeing the config, but ...

- Make sure NAT is not enabled on the security rule from LAN to VPC LAN.

- Make sure routing is correct: # get route info routing all

- Do a sniffer to see if your pings from LAN reach and exit the correct interface, say your lan in VPC is

# dia sni packet any 'icmp and' 


Yuri blog: All things Fortinet, no ads.

All opinions are mine only.



Be sure to disable source/destination check on each EC2 instance you want to reach...





New Contributor

Can you share config? 


Esteemed Contributor III

I wrote this 5+ years ago and nothing really has change , you might want to study your config and compare


Ken Felix