FortiGate IPsec Configuration - Unable to Establish Internet Access for AWS EC2 Instances
Hello Fortinet community,
I have set up an IPsec connection from FortiGate to AWS, and I'm currently facing a challenge with enabling internet access for my AWS EC2 instances through the IPsec tunnel. Here's a brief overview of my setup:
AWS VPC: I have a private subnet containing various services, including EC2 instances.
FortiGate: I have two networks - a DMZ network and an internal network. Both can communicate with the EC2 instances without any issues.
However, I want to allow the following path for my EC2 instances:
EC2 ===> FortiGate 1 ===> Internet
To achieve this, I've configured the AWS route table to have a route with destination 0.0.0.0/0 pointing to the virtual private gateway (VGW) to handle internet-bound traffic.
On the FortiGate side, I've implemented two policies. The first policy allows traffic from the WAN to AWS IPsec, and the second policy allows traffic from AWS IPsec to the WAN.
Despite these configurations, the setup isn't functioning as expected. When capturing traffic on the FortiGate, I see the following result for a ping request:
Are you seeing sessions are establishing on firewall for this traffic ? If not, you might have to check the route for the source IP. It should be through the same IPsec tunnel, or else it would drop due to RPF check. Also ensure the NAT is being applied on policy to go out.
To check the sessions: diag sys session filter dst 22.214.171.124
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.