For a client, I am trying to setup a vpn site-to-site from a local Fortigate 200F, firmware 7.2.3, to the AWS site-to-site connectors.
I succeded to make it so I could ping from AWS to a local machine, but ping from a local machine to a AWS machine would not work.
How I did it and config
I went in the docs of AWS and Fortinet, followed them, then downloaded the IKDv2 configuration file, followed the instructions, and it was pretty smooth for those parts.*
Fortigate Network IPSEC tunnels section here:
Fortigate routes here:
*In this post, I'll only talk about one tunnel, and I'll ask the community about the two tunnels failover in another post.
So the route on AWS side are working and I suspect that the AWS side is not the cause here:
My Firewall policies are there:
And If I DENY my AWS VPN to the local LAN, the pings from AWS to local LAN stops, so this is proof that that direction goes by the Firewall.
If I reverse that by putting "AWSVPN to LAN" to ACCEPT, and "LAN to ASWS VPN" to DENY, there is no difference to my problem obliviously.
Any hint in the right direction would be apreciated! Thanks.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thanks. I'll probably go the Forti-VM to Fortigate way. I have a similar setup right now with my current Peplink router. And of course, when you connect vendor1 to vendor1 routers, problems go away ;)
The best thing to do would be to run a flow filter to determine what is happening. Try running the following in the cli:
diag debug flow filter addr <ip of aws machine>
diag debug flow filter proto 1
diag debug enable
diag debug flow trace start 20
perform your ping test from a lan PC to the AWS machine and see what the logs show it is doing with the traffic.
I'll test that soon and let you know, thanks.
I tested the flow filter with a ping, and if I analyse this correctly, everything seems fine on the Fortigate side. Would you concur?
diag debug flow filter addr 10.0.1.77 [AWSMachineIP]
diag debug flow filter proto 1
diag debug enable
diag debug flow trace start 20
id=65308 trace_id=102 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 192.[localMachineIP]:1->10.[AWSMachineIP]:2048) tun_id=0.0.0.0 from lan. type=8, c
ode=0, id=1, seq=849."
id=65308 trace_id=102 func=init_ip_session_common line=6073 msg="allocate a new session-00078a72, tun_id=0.0.0.0"
id=65308 trace_id=102 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-35.[AWSUpTunnelOutsideIPAddress] via vpn-AWS-232-0"
id=65308 trace_id=102 func=fw_forward_handler line=918 msg="Allowed by Policy-11:"
id=65308 trace_id=102 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface vpn-AWS-232-0, tun_id=0.0.0.0"
id=65308 trace_id=102 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel vpn-AWS-232-0 vrf 0"
id=65308 trace_id=102 func=esp_output4 line=893 msg="IPsec encrypt/auth"
id=65308 trace_id=102 func=ipsec_output_finish line=629 msg="send to 64.[IPSrouter] via intf-port1" (port1 is the WAN port, so that's fine)
id=65308 trace_id=103 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 192.[localMachineIP]:1->10.[AWSMachineIP]:2048) tun_id=0.0.0.0 from lan. type=8, code=0
, id=1, seq=850."
Sorry for the delayed response, yes it looks like you are sending the icmp out the tunnel "enter IPSec interface vpn-AWS-232-0". Ping must be getting lost in the cloud....
If you were to get a response, you would see a new trace come in from AWS tunnel to your LAN, but that does not appear here.
Thanks. I'll probably go the Forti-VM to Fortigate way. I have a similar setup right now with my current Peplink router. And of course, when you connect vendor1 to vendor1 routers, problems go away ;)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.