Hello Fortinet community,
I have set up an IPsec connection from FortiGate to AWS, and I'm currently facing a challenge with enabling internet access for my AWS EC2 instances through the IPsec tunnel. Here's a brief overview of my setup:
However, I want to allow the following path for my EC2 instances:
EC2 ===> FortiGate 1 ===> Internet
To achieve this, I've configured the AWS route table to have a route with destination 0.0.0.0/0 pointing to the virtual private gateway (VGW) to handle internet-bound traffic.
On the FortiGate side, I've implemented two policies. The first policy allows traffic from the WAN to AWS IPsec, and the second policy allows traffic from AWS IPsec to the WAN.
Despite these configurations, the setup isn't functioning as expected. When capturing traffic on the FortiGate, I see the following result for a ping request:
1 0.000000 192.168.16.44 8.8.8.8 ICMP 60 Echo (ping) request id=0x0001, seq=51820/27850, ttl=128 (no response found!)
This suggests that the ping request from 192.168.16.44 (presumably one of the EC2 instances) to 8.8.8.8 (Google's DNS server) did not receive a response.
I'd greatly appreciate any guidance, suggestions, or troubleshooting steps to resolve this issue and enable internet access for my AWS EC2 instances via the FortiGate IPsec connection.
Thank you for your time and assistance!
hello @stevediaz ,
Are you seeing sessions are establishing on firewall for this traffic ? If not, you might have to check the route for the source IP. It should be through the same IPsec tunnel, or else it would drop due to RPF check.
Also ensure the NAT is being applied on policy to go out.
To check the sessions:
diag sys session filter dst 8.8.8.8
diag sys session filter src <EC2 instance IP>
diag sys session filter proto 1
diag sys session list
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.