Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DasYeti
New Contributor

Site-to-site VPN traffic issues to AWS VPC

I have inherited a Fortigate 60E running 5.4.4.  I am attempting to setup a VPN connection to a AWS VPC (setup with instructions from https://docs.fortinet.com/document/fortigate/6.2.0/aws-cookbook/506140/connecting-a-local-fortigate-...) .  I have established the connection and the tunnel is up.  I can ping from an EC2 instance in the VPC to devices in my local office.  However, I cannot ping items in the VPC from my local office.  When trying to do a tracert, it doesn't even make one hop before failing (as if traffic is not routing from the local subnet to the AWS subnet).  Pinging the public IP is successful.  Unfortunately, I am not that familiar with the fortiOS which is making things more challenging as it is not very intuitive to me.

 

I have static routes configured to hit the AWS subnet

I've been trying some different IPv4 policy setting to no avail

phase2 on the VPN is set to 0.0.0.0/0.0.0.0 for both local and remote.

 

I am at a loss as to where to look next.  Any guidance would be apprciated.

 

 

 

 

 

4 REPLIES 4
Yurisk
Valued Contributor

There are quite a few things that cause such behavior, hard to say without seeing the config, but ...

- Make sure NAT is not enabled on the security rule from LAN to VPC LAN.

- Make sure routing is correct: # get route info routing all

- Do a sniffer to see if your pings from LAN reach and exit the correct interface, say your lan in VPC is 10.10.10.0/24:

# dia sni packet any 'icmp and 10.10.10.0/24' 

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
HA
Contributor

Hi,

 

Be sure to disable source/destination check on each EC2 instance you want to reach...

 

Regards,

 

HA

SanZ
New Contributor

Can you share config? 

 

emnoc
Esteemed Contributor III

I wrote this 5+ years ago and nothing really has change , you might want to study your config and compare

 

http://socpuppet.blogspot.com/2014/02/dual-vpc-terminate-on-fortigate-firewall.html

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan