Fortigate AWS VPN Site to Site with RUT951 is up, but communication not bidirectional on sites.

OrtizJorge97 · ‎12-10-2024

I have a site to site vpn mounted with my private subnet (10.0.1.0/24) and Teltonika router RUT951 subnet (192.168.10.0/24) which is connected to internet through dial up (SIM Card Telcel). The site to site is up and successfully running on phase1 and phase2 selectors..... But I canNOT ping or telnet from server in private net to the router RUT951 itself nor any device behind the router.

But I am able to do ping or telnet successfully from router RUT951 to server in private net.

From Fortigate CLI tried to do ping on 192.168.10.1, but no luck.

My guess is the issue should be on the firewall of the router RUT951, but I am new on this so I need help.

I have both policies allowing all access from RUT951 -> PRIVATE NET and PRIVATE NET -> RUT951 like below:

PRIVATE NET -> RUT951 Policy (This one does not work if doing ping or telnet disabling or enabling NAT, same result).

RUT951 -> PRIVATE NET (This one works perfect i can do ping or telnet)

Static Routes

IPSEC TUNNEL SITE TO SITE SUCCESS STATUS.

More context:

Fortigate in a VM in AWS.

Private subnet as 10.0.1.0/24 where private server resides.

Public facing subnet 10.0.0.0/24.

My Teltonika RUT951 router subnet 192.168.10.0/24 (Internet access through SIM Card Telcel, not WAN as such).

RUT951 router ip address 192.168.10.1

dingjerry_FTNT · ‎12-10-2024

Hi @OrtizJorge97 ,

Please specify the source IP for Ping on FGT:

execute ping-options source x.x.x.x // x.x.x.x is the IP assigned to port2

execute ping 192.168.10.1

Regards,

Jerry

View solution in original post

OrtizJorge97 · ‎12-10-2024

Hi @dingjerry_FTNT ,

Yes, it is actually pointing to the port2 ip address

bellow I attach the route table in the private net

dingjerry_FTNT · ‎12-10-2024

Hi @OrtizJorge97 ,

I am not familiar with AWS. On the private server (I assume it is Windows based), can you see the ARP entry with 10.0.1.10?

If it is Windows based, you may run "arp -a"

You can get the MAC address of port2 on FGT with this CLI command:

diag hardware deviceinfo nic port2

Regards,

Jerry

dingjerry_FTNT · ‎12-11-2024

Hi @OrtizJorge97 ,

My bad, your private server is Linux based. But the commands are the same.

Please run the following on the private server:

arp -a

traceroute 192.168.10.1

Please run the following on FGT:

diag hardware deviceinfo nic port2

Regards,

Jerry

OrtizJorge97 · ‎12-11-2024

Hi @dingjerry_FTNT ,

Here I attach the results for my arp -a and traceroute 192.168.10.1 commands

Added rule for routing table inside the linux server to redirect it through the 10.0.1.10 port2 in fgt, still no luck, also ran again diag sniffer packet any 'icmp and host 192.168.10.1' 4

still not reaching FGT in port2.

RESULTS IN FGT FOR diag hardware deviceinfo nic port2

dingjerry_FTNT · ‎12-11-2024

Hi @OrtizJorge97 ,

1) Your Linux host has a gateway pointing to 10.0.1.1 if I understand it correctly. What is the gateway?

2) Your ARP entry for 10.0.1.10 has the correct MAC address.

So weird, I am not sure why it is not hitting FGT.

Maybe you can try to reboot the private server and then check everything again?

Regards,

Jerry

OrtizJorge97 · ‎12-11-2024

Hi @dingjerry_FTNT ,

Yes, gateway is pointing to 10.0.1.1, success ping from private server to gateway.

Gateway is the subnet private gateway ip address from AWS.

Changed destination in subnet route table for private subnet to 192.168.10.1/32 and tried ping and again not working. Change it back again to 192.168.10.0/24.