Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
robinsonb
New Contributor

Created on ‎06-30-2022 05:52 AM

Connexion fail VPN Fortigate local to Fortigate AWS

Hello everyone,

I have a little problem I can not properly configure my local Fortigate VPN on Vmware on my AWS Fortigate. (I followed this: https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/aws-administration-guide/881566/conn...

 

Here’s the infrastructure I have 

robinsonb_0-1656593084994.png

On the AWS Fortigate part:

 

robinsonb_1-1656593117197.png

 

robinsonb_2-1656593134328.png

 

robinsonb_3-1656593145117.png

What I get:

 

robinsonb_4-1656593169636.png

 

robinsonb_5-1656593173535.png

 

My security entry group for the fortigate AWS:

 

robinsonb_6-1656593201411.png

(I don’t know if I need to add a route to my subnet)

 

On the Local part Vmware Fortigate:

 

robinsonb_7-1656593283441.png

 

robinsonb_8-1656593287017.png

robinsonb_9-1656593289671.png

What I get:

 

robinsonb_10-1656593331568.png

 

robinsonb_11-1656593336391.png

My local Fortigate can ping my AWS Fortigate.

 

Thank you in advance for your answers

 

Labels:
414
0 Kudos
2 REPLIES 2
ssudhakar
Staff
Staff

Created on ‎06-30-2022 01:57 PM Edited on ‎06-30-2022 01:57 PM

Hi there :

 

From the doc that you have attached, It says that the NAT config on AWS side should be set to This site is behind NAT. I see that you have set it to the remote site is behind NAT. 

 

 https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/aws-administration-guide/881566/conn...

 
To create a VPN on the AWS FortiGate to the local FortiGate:
  1. For NAT Configuration, select This site is behind NAT. This is the correct configuration since the AWS FortiGate has an elastic IP address. Click Next.

Can you please change it to This site is behind NAT  and see if it works?

 

Thank you,

Hope

383
0 Kudos
robinsonb
New Contributor
In response to ssudhakar

Created on ‎06-30-2022 04:02 PM

Hello Sudhakar,


I think they are mistaken since there are not the same fields to fill on the part
Site behind nat and remote site behind nat.
He explains that it is necessary to fill the incoming interface or this one can only fill it on the part and that the remote site is behind nat.

 

robinsonb_0-1656630036082.png

 

robinsonb_1-1656630041103.pngrobinsonb_2-1656630141627.pngrobinsonb_3-1656630148493.png

 

 

380
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.