Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rg_586
New Contributor III

Fortinet 201E v7.2.2 - Site to site VPN with AWS VPC - link-monitor problem - ping fails

Hi.

I am currently configuring Site to Site VPN using Amazon VPC tunnels to my Fortinet 201E Firewalls running v7.2.2.

The configuration involves 2 IPSec tunnels configured in AWS. I have attached the Configuration below that AWS allows the user to download once they have created a Site to Site VPN.

Where the problem begins, in the configuration file the instructions ask the user to use gwdetect which in later versions is link-monitor which will allow me to switch from the primary ipsec tunnel to the secondary tunnel.

I have configured link-monitor using the guide https://docs.fortinet.com/document/fortigate/7.2.2/cli-reference/122620/config-system-link-monitor

However I can get the link-monitor to ping out to any 10.X.X.X address but not the 169.X.X.X address in the AWS Configuration, I run the command on the Fortinet diag sys link-monitor status and the ping to the 169.X.X.X address is dead.

So I am asking for some help or someone with experience configuring Site to Site VPN using Amazon VPC to Fortinet Firewall please.

 

 

! Amazon Web Services
! Virtual Private Cloud

! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
!
! Your VPN Connection ID 		              : vpn-05303c885396bac29
! Your Virtual Private Gateway ID         : 
! Your Customer Gateway ID		            : cgw-007a8df3aeee14552
!
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway.
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration

Go to  VPN --> IPSEC Tunnels --> Create New (drop down) --> Select IPSEC Tunnel

VPN Creation Wizard Window appears

Select Template Type as “Custom”

Provide a Name for the VPN connection (Name must be shorter than 15 chars, best if shorter than 12): vpn-05303c885396bac29-0

New VPN Tunnel Window Appears (Here we configure the VPN settings):

Under “Network” Section:
a. IP Version:     IPv4
b. Remote Gateway: Static IP Address
c. IP address: 192.168.100.0
d. Local Interface: wan1
e. Local Gateway: Select Specify and enter WAN port IP (Public IP)
f. Dead Peer Detection: Enable by selecting On Idle/ On Demand
g. Authentication Method: Pre-shared Key
h. Pre-Shared Key: emirTvcMSAR8nOjrpbdHFIH6PegZeDJa
i. IKE Version: 2
Phase 1 Proposal:
j.  Encryption: aes128
k. Authentication: sha1
l. DH group: 2     ! and deselect 5
m. Keylife: 28800 seconds

! NAT Traversal is enabled by default but if your FortiGate device is not behind a NAT/PAT device, please deselect NAT Traversal.

! --------------------------------------------------------------------------------
! #2: IPSec Configuration

Under Phase 2 Selectors --> New Phase 2
a.	Name:  vpn-05303c885396bac29-0
b.	Local Address: LAN subnet behind Fortigate/0.0.0.0/0
c.	Remote Address: AWS Private Subnet/0.0.0.0/0

Under Advanced
d.	Encryption: aes128
e.	Authentication: sha1
f.	Select Enable Replay Detection
g.	Select Perfect Forward Secrecy
h.	DH Group: 2 ! and deselect 5
i.	Keylife: 3600 seconds
j.	Enable Auto-negotiate   ! Autokey Keep Alive is enabled automatically when Auto-negotiate is enabled
k.	Click Ok

! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration

! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
!
! The address of the interface is configured with the setup for your
! Customer Gateway.  If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
! This is required in order for tunnel failover via gwdetect to function
!
! Perform this from the Global VDOM.

Go to Network Tab --> Interface --> wan1 and edit vpn-05303c885396bac29-0

a. IP : 169.254.84.154
b. Remote IP: 169.254.84.153/30
c. Select Ping
d. Administrative Status: Up
e. Select Ok.

!You can set MTU and MSS on the tunnel by performing this from the CLI:
 config global
 config system interface
  edit "vpn-05303c885396bac29-0" ! This name will be the same as the VPN tunnel name
    set mtu-override enable
    set mtu 1427
    set tcp-mss 1379
   next
end

! --------------------------------------------------------------------------------
! #4 Static Route Configuration
Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with the prefix 10.0.0.0/16 is provided below:
!
! This is configured from the root VDOM


Go to Network Tab --> Static Routes --> Create New

a. Destination: Subnet (10.0.0.0/16)
b. Interface: vpn-05303c885396bac29-0 ! This is the VPN tunnel interface
c. Click Ok

! Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the
! tunnels, we would want to failover the traffic to the second tunnel. This is done by using "gwdetect" in fortigate.
! The gwdetect command will ping the other end of the tunnel, and check if the tunnel is up. If the pings fail, it will
! remove the static route from the routing table, and the second route in the table will become active.
!
! This can be done only using the CLI.
!
! The following config will tell the Fortigate device, what IP it should ping to test the tunnel. This IP should be
! the inside IP address of the virtual private gateway.
! This is required in order for tunnel failover via gwtect to function. Additionally, this is required to keep the tunnel up, since
! traffic must be sent from your side of the VPN tunnel to prevent the tunnel from being taken down.

config vdom
    edit root
        config router gwdetect
        edit 1
        set interface "vpn-05303c885396bac29-0" ! This is the VPN tunnel interface
        set server "169.254.84.153"

! server IP is the AWS inside IP

! Using the following command, you can set the interval and failtime for gwdetect. Interval is number of seconds
! between pings. Failtime is the number of lost consecutive pings.Using the respective values of 2 and 5, your tunnel
! will failover in 10 seconds.

        set interval 2
        set failtime 5
    next
end

! --------------------------------------------------------------------------------
! #5: Firewall Policy Configuration
! Create a firewall policy permitting traffic from your local subnet to the VPC subnet and vice versa
! This example policy permits all traffic from the local subnet to the VPC.
!
!This is configured from the root VDOM


Go to Policy & Object tab --> Firewall Policy --> Create New

   a. Provide a Name for the Policy
   b. Incoming Interface/Zone = internal ! This is the interface out which your local LAN resides
   c. Source Address = all
   d. Outgoing Interface/Zone = "vpn-05303c885396bac29-0" ! This is the VPN tunnel interface
   e. Destination Address = all
   f. Schedule = always
   g. Service = ALL
   h. Action = ACCEPT
   i. Click OK

! NAT is enabled for the policy by default, you can disable it.

! Now create a policy to permit traffic going the other way

   a. Create New
   b. Provide a Name for the Policy
   c. Incoming Interface/Zone = "vpn-05303c885396bac29-0" ! This is the VPN tunnel interface
   d. Source Address = all
   e. Outgoing Interface/Zone = internal  ! This is the interface out which your local LAN resides
   f. Destination Address = all
   g. Schedule = always
   h. Service = ALL
   i. Action = ACCEPT
   j. Click OK


! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration

Go to  VPN --> IPSEC Tunnels --> Create New (drop down) --> Select IPSEC Tunnel

VPN Creation Wizard Window appears

Select Template Type as “Custom”

Provide a Name for the VPN connection (Name must be shorter than 15 chars, best if shorter than 12): vpn-05303c885396bac29-1

New VPN Tunnel Window Appears (Here we configure the VPN settings):

Under “Network” Section:
a. IP Version:     IPv4
b. Remote Gateway: Static IP Address
c. IP address: 192.168.100.1
d. Local Interface: wan1
e. Local Gateway: Select Specify and enter WAN port IP (Public IP)
f. Dead Peer Detection: Enable by selecting On Idle/ On Demand
g. Authentication Method: Pre-shared Key
h. Pre-Shared Key: u7i6k8jsKxLaPN2yukR6MZvCVH2kVRGj
i. IKE Version: 2
Phase 1 Proposal:
j.  Encryption: aes128
k. Authentication: sha1
l. DH group: 2     ! and deselect 5
m. Keylife: 28800 seconds

! NAT Traversal is enabled by default but if your FortiGate device is not behind a NAT/PAT device, please deselect NAT Traversal.

! --------------------------------------------------------------------------------
! #2: IPSec Configuration

Under Phase 2 Selectors --> New Phase 2
a.	Name:  vpn-05303c885396bac29-1
b.	Local Address: LAN subnet behind Fortigate/0.0.0.0/0
c.	Remote Address: AWS Private Subnet/0.0.0.0/0

Under Advanced
d.	Encryption: aes128
e.	Authentication: sha1
f.	Select Enable Replay Detection
g.	Select Perfect Forward Secrecy
h.	DH Group: 2 ! and deselect 5
i.	Keylife: 3600 seconds
j.	Enable Auto-negotiate   ! Autokey Keep Alive is enabled automatically when Auto-negotiate is enabled
k.	Click Ok

! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration

! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
!
! The address of the interface is configured with the setup for your
! Customer Gateway.  If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
! This is required in order for tunnel failover via gwdetect to function
!
! Perform this from the Global VDOM.

Go to Network Tab --> Interface --> wan1 and edit vpn-05303c885396bac29-1

a. IP : 169.254.96.78
b. Remote IP: 169.254.96.77/30
c. Select Ping
d. Administrative Status: Up
e. Select Ok.

!You can set MTU and MSS on the tunnel by performing this from the CLI:
 config global
 config system interface
  edit "vpn-05303c885396bac29-1" ! This name will be the same as the VPN tunnel name
    set mtu-override enable
    set mtu 1427
    set tcp-mss 1379
   next
end

! --------------------------------------------------------------------------------
! #4 Static Route Configuration
Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with the prefix 10.0.0.0/16 is provided below:
!
! This is configured from the root VDOM


Go to Network Tab --> Static Routes --> Create New

a. Destination: Subnet (10.0.0.0/16)
b. Interface: vpn-05303c885396bac29-1 ! This is the VPN tunnel interface
c. Click Ok

! Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the
! tunnels, we would want to failover the traffic to the second tunnel. This is done by using "gwdetect" in fortigate.
! The gwdetect command will ping the other end of the tunnel, and check if the tunnel is up. If the pings fail, it will
! remove the static route from the routing table, and the second route in the table will become active.
!
! This can be done only using the CLI.
!
! The following config will tell the Fortigate device, what IP it should ping to test the tunnel. This IP should be
! the inside IP address of the virtual private gateway.
! This is required in order for tunnel failover via gwtect to function. Additionally, this is required to keep the tunnel up, since
! traffic must be sent from your side of the VPN tunnel to prevent the tunnel from being taken down.

config vdom
    edit root
        config router gwdetect
        edit 2
        set interface "vpn-05303c885396bac29-1" ! This is the VPN tunnel interface
        set server "169.254.96.77"

! server IP is the AWS inside IP

! Using the following command, you can set the interval and failtime for gwdetect. Interval is number of seconds
! between pings. Failtime is the number of lost consecutive pings.Using the respective values of 2 and 5, your tunnel
! will failover in 10 seconds.

        set interval 2
        set failtime 5
    next
end

! --------------------------------------------------------------------------------
! #5: Firewall Policy Configuration
! Create a firewall policy permitting traffic from your local subnet to the VPC subnet and vice versa
! This example policy permits all traffic from the local subnet to the VPC.
!
!This is configured from the root VDOM


Go to Policy & Object tab --> Firewall Policy --> Create New

   a. Provide a Name for the Policy
   b. Incoming Interface/Zone = internal ! This is the interface out which your local LAN resides
   c. Source Address = all
   d. Outgoing Interface/Zone = "vpn-05303c885396bac29-1" ! This is the VPN tunnel interface
   e. Destination Address = all
   f. Schedule = always
   g. Service = ALL
   h. Action = ACCEPT
   i. Click OK

! NAT is enabled for the policy by default, you can disable it.

! Now create a policy to permit traffic going the other way

   a. Create New
   b. Provide a Name for the Policy
   c. Incoming Interface/Zone = "vpn-05303c885396bac29-1" ! This is the VPN tunnel interface
   d. Source Address = all
   e. Outgoing Interface/Zone = internal  ! This is the interface out which your local LAN resides
   f. Destination Address = all
   g. Schedule = always
   h. Service = ALL
   i. Action = ACCEPT
   j. Click OK




! Additional Notes and Questions
!  - Amazon Virtual Private Cloud Getting Started Guide:
!       http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
!  - Amazon Virtual Private Cloud Network Administrator Guide:
!       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide

 

3 REPLIES 3
gfleming
Staff
Staff

Can you post output of:

 

show system interface vpn-05303c885396bac29-0

 

Cheers,
Graham
rg_586
New Contributor III

Hi @gfleming as requested

set vdom "Vdom1"

set ip 169.254.84.154 255.255.255.255

set allowaccess ping

set type tunnel

set tcp-mss 1379

set remote-ip 169.254.84.153 255.255.255.252

set snmp-index 56

set mtu-override enable

set mtu 1427

set interface "port10"

 

 

 

gfleming

Are you using 0.0.0.0/0 for your phase2 selector as per the downloaded config? Just making usre 169.254.X.X is definitely included in phase2 selectors.

 

Next I would look at doing a debug flow to see what the FW is doing.

 

diagnose debug enable
diagnose debug flow filter daddr 169.254.X.X (Remote tunnel IP)
diagnose debug flow trace start 1
execute ping 169.254.X.X (Remote tunnel IP)
Cheers,
Graham
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors