Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexandreP
New Contributor II

One way ping site-to-site AWS vpn tunnel

For a client, I am trying to setup a vpn site-to-site from a local Fortigate 200F, firmware 7.2.3, to the AWS site-to-site connectors.

 

I succeded to make it so I could ping from AWS to a local machine, but ping from a local machine to a AWS machine would not work.

 

How I did it and config

 

I went in the docs of AWS and Fortinet, followed them, then downloaded the IKDv2 configuration file, followed the instructions, and it was pretty smooth for those parts.*

AlexandreP_5-1668560500954.png

 

Fortigate Network IPSEC tunnels section here:

AlexandreP_7-1668560541325.png

Fortigate routes here:

AlexandreP_8-1668560600239.png

 

 

*In this post, I'll only talk about one tunnel, and I'll ask the community about the two tunnels failover in another post.

 

So the route on AWS side are working and I suspect that the AWS side is not the cause here:

AlexandreP_0-1668560080767.png

 

My Firewall policies are there:

AlexandreP_1-1668560136311.png

 

AlexandreP_2-1668560177060.png

 

AlexandreP_3-1668560189762.png

 

And If I DENY my AWS VPN to the local LAN, the pings from AWS to local LAN stops, so this is proof that that direction goes by the Firewall.

AlexandreP_4-1668560259077.png

If I reverse that by putting "AWSVPN to LAN" to ACCEPT, and "LAN to ASWS VPN" to DENY, there is no difference to my problem obliviously.

 

 

Any hint in the right direction would be apreciated! Thanks.

 

 

 

1 Solution
AlexandreP

Thanks. I'll probably go the Forti-VM to Fortigate way. I have a similar setup right now with my current Peplink router. And of course, when you connect vendor1 to vendor1 routers, problems go away ;)

View solution in original post

5 REPLIES 5
distillednetwork
Contributor III

The best thing to do would be to run a flow filter to determine what is happening.  Try running the following in the cli:

 

diag debug flow filter addr <ip of aws machine>

diag debug flow filter proto 1

diag debug enable

diag debug flow trace start 20

 

perform your ping test from a lan PC to the AWS machine and see what the logs show it is doing with the traffic.

AlexandreP

I'll test that soon and let you know, thanks.

AlexandreP

I tested the flow filter with a ping, and if I analyse this correctly, everything seems fine on the Fortigate side. Would you concur?

 

 

 


diag debug flow filter addr 10.0.1.77 [AWSMachineIP]
diag debug flow filter proto 1
diag debug enable
diag debug flow trace start 20

 

id=65308 trace_id=102 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 192.[localMachineIP]:1->10.[AWSMachineIP]:2048) tun_id=0.0.0.0 from lan. type=8, c
ode=0, id=1, seq=849."
id=65308 trace_id=102 func=init_ip_session_common line=6073 msg="allocate a new session-00078a72, tun_id=0.0.0.0"
id=65308 trace_id=102 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-35.[AWSUpTunnelOutsideIPAddress] via vpn-AWS-232-0"
id=65308 trace_id=102 func=fw_forward_handler line=918 msg="Allowed by Policy-11:"
id=65308 trace_id=102 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface vpn-AWS-232-0, tun_id=0.0.0.0"
id=65308 trace_id=102 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel vpn-AWS-232-0 vrf 0"
id=65308 trace_id=102 func=esp_output4 line=893 msg="IPsec encrypt/auth"
id=65308 trace_id=102 func=ipsec_output_finish line=629 msg="send to 64.[IPSrouter] via intf-port1" (port1 is the WAN port, so that's fine)
id=65308 trace_id=103 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 192.[localMachineIP]:1->10.[AWSMachineIP]:2048) tun_id=0.0.0.0 from lan. type=8, code=0
, id=1, seq=850."


 

 

distillednetwork

Sorry for the delayed response, yes it looks like you are sending the icmp out the tunnel "enter IPSec interface vpn-AWS-232-0". Ping must be getting lost in the cloud....

 

If you were to get a response, you would see a new trace come in from AWS tunnel to your LAN, but that does not appear here.

AlexandreP

Thanks. I'll probably go the Forti-VM to Fortigate way. I have a similar setup right now with my current Peplink router. And of course, when you connect vendor1 to vendor1 routers, problems go away ;)