Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stevediaz
New Contributor

FortiGate IPsec Configuration - Unable to Establish Internet Access for AWS EC2 Instances

Hello Fortinet community,

 

I have set up an IPsec connection from FortiGate to AWS, and I'm currently facing a challenge with enabling internet access for my AWS EC2 instances through the IPsec tunnel. Here's a brief overview of my setup:

  • AWS VPC: I have a private subnet containing various services, including EC2 instances.
  • FortiGate: I have two networks - a DMZ network and an internal network. Both can communicate with the EC2 instances without any issues.

However, I want to allow the following path for my EC2 instances:

EC2 ===> FortiGate 1 ===> Internet

To achieve this, I've configured the AWS route table to have a route with destination 0.0.0.0/0 pointing to the virtual private gateway (VGW) to handle internet-bound traffic.

On the FortiGate side, I've implemented two policies. The first policy allows traffic from the WAN to AWS IPsec, and the second policy allows traffic from AWS IPsec to the WAN.

Despite these configurations, the setup isn't functioning as expected. When capturing traffic on the FortiGate, I see the following result for a ping request:

1 0.000000 192.168.16.44 8.8.8.8 ICMP 60 Echo (ping) request id=0x0001, seq=51820/27850, ttl=128 (no response found!)

This suggests that the ping request from 192.168.16.44 (presumably one of the EC2 instances) to 8.8.8.8 (Google's DNS server) did not receive a response.

I'd greatly appreciate any guidance, suggestions, or troubleshooting steps to resolve this issue and enable internet access for my AWS EC2 instances via the FortiGate IPsec connection.

 

Thank you for your time and assistance!

 

1 REPLY 1
mriswan
Staff
Staff

hello @stevediaz ,

Are you seeing sessions are establishing on firewall for this traffic ? If not, you might have to check the route for the source IP. It should be through the same IPsec tunnel, or else it would drop due to RPF check. 
Also ensure the NAT is being applied on policy to go out.

To check the sessions:
diag sys session filter dst 8.8.8.8

diag sys session filter src <EC2 instance IP>

diag sys session filter proto 1

diag sys session list

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors