Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
OrtizJorge97
New Contributor

Created on ‎12-10-2024 04:53 PM

Fortigate AWS VPN Site to Site with RUT951 is up, but communication not bidirectional on sites.

I have a site to site vpn mounted with my private subnet (10.0.1.0/24) and Teltonika router RUT951 subnet (192.168.10.0/24) which is connected to internet through dial up (SIM Card Telcel). The site to site is up and successfully running on phase1 and phase2 selectors..... But I canNOT ping or telnet from server in private net to the router RUT951 itself nor any device behind the router.

But I am able to do ping or telnet successfully from router RUT951 to server in private net.

 

From Fortigate CLI tried to do ping on 192.168.10.1, but no luck.

My guess is the issue should be on the firewall of the router RUT951, but I am new on this so I need help.

 

I have both policies allowing all access from RUT951 -> PRIVATE NET and PRIVATE NET -> RUT951 like below:

 

PRIVATE NET -> RUT951 Policy (This one does not work if doing ping or telnet disabling or enabling NAT, same result).

 

RUT951 -> PRIVATE NET (This one works perfect i can do ping or telnet)

Screenshot 2024-12-10 at 5.37.51 p.m..png

 

Static Routes

Screenshot 2024-12-10 at 5.39.57 p.m..png

 

IPSEC TUNNEL SITE TO SITE SUCCESS STATUS.

Screenshot 2024-12-10 at 5.44.48 p.m..png

 

More context:

Fortigate in a VM in AWS.

Private subnet as 10.0.1.0/24 where private server resides.

Public facing subnet 10.0.0.0/24.

My Teltonika RUT951 router subnet 192.168.10.0/24 (Internet access through SIM Card Telcel, not WAN as such).

RUT951 router ip address 192.168.10.1

665
0 Kudos
1 Solution
dingjerry_FTNT
Staff
Staff

Created on ‎12-10-2024 05:12 PM

Hi @OrtizJorge97 ,

 

Please specify the source IP for Ping on FGT:

 

execute ping-options source x.x.x.x  // x.x.x.x is the IP assigned to port2

execute ping 192.168.10.1

Regards,

Jerry

View solution in original post

515
25 REPLIES 25
dingjerry_FTNT
Staff
Staff
In response to OrtizJorge97

Created on ‎12-11-2024 09:02 PM

Hi @OrtizJorge97 ,

 

It's because you configured the incorrect "addr" filter:

 

diag debug flow filter addr 10.0.1.10

 

It has to be 192.168.10.1

Regards,

Jerry
116
OrtizJorge97
New Contributor
In response to dingjerry_FTNT

Created on ‎12-11-2024 09:10 PM

Hi @dingjerry_FTNT ,

You are right, my bad there, here below I attach the debug commands with corrected ip address filter.

 

Fortigate CLI, this is how it was looking even after doing "ping 192.168.10.1"

Screenshot 2024-12-11 at 10.07.14 p.m..png

 

Ping from private server after running debug commands.

Screenshot 2024-12-11 at 10.07.26 p.m..png

 

Regards,

111
0 Kudos
ModEngine2
New Contributor

Created on ‎12-10-2024 10:11 PM

It looks like you're facing a one-way communication issue in your site-to-site VPN setup between the Fortigate and RUT951 routers. Since the VPN tunnel is established and you can ping and telnet from the RUT951 router to your private network but not vice versa, there are a few areas to check.

First, verify the firewall policies on both devices. Ensure that the policies allowing traffic from your private network to the RUT951 subnet are configured correctly on the Fortigate. Double-check that NAT (Network Address Translation) is disabled in both directions, as enabling it could sometimes block communication from one side.

On the RUT951 side, check its firewall rules and ensure that it allows inbound traffic from the private network (10.0.1.0/24). Sometimes, routers like the RUT951 may have more restrictive firewall settings for inbound connections, so it's important to make sure it isn't blocking traffic from your VPN network.

Mod Engine2
Mod Engine2
193
OrtizJorge97
New Contributor
In response to ModEngine2

Created on ‎12-11-2024 10:44 AM Edited on ‎12-11-2024 10:45 AM

Hi @ModEngine2 ,

 

Yes, inbound rules and firewalls allow all traffic, what is happening after so much debugging is that resources (private server) in private subnet when doing ping to 192.168.10.0/24 dont know where to point the traffic to.

 

in FGT CLI I inspected ping request for 192.168.10.1 to see if at least the request is coming.

so from my 10.0.1.27 server do ping on 192.168.10.1, does not reach the port2 (10.0.1.10) interface of Fortigate.

 

Already modified the routing tables for pointing 192.168.10.0/24 destination to the network interface of port2.

 

166
0 Kudos
OrtizJorge97
New Contributor

Created on ‎12-11-2024 09:34 PM

@dingjerry_FTNT Got a winner!

Turns out the problem was in the interface of FGT port2 Source/dest check was enabled in aws, this one did not allow to do ping to other ips which are not inside the 10.0.1.0/24, I just disabled this check, and now I got communication from private net to RUT951 device(s)!

105
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to OrtizJorge97

Created on ‎12-11-2024 09:58 PM

Ah, glad to hear that you fixed the issue. I knew that there was nothing wrong with FGT :)

Regards,

Jerry
100
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.