Problem with Fortigate on AWS

Alex2 · ‎05-31-2023

Hi please i have a huge problem.
I have an EC2 instance on AWS with IP address 172.31.X.X that I want to communicate with another remote instance of a customer always on AWS with IP address 172.33.X.X through a fortigate IPsec VPN tunnel on both sides else.
For the fortigate 1 we have LAN: 172.31.X.Y, WAN: 172.31.Y.Z and the pubilc IP
For the fortigate 2 we have LAN: 172.33.X.Y, WAN: 172.33.Y.Z and the public IP

the vpn tunnel is UP but when I ping from the ec2 172.31.X.X to the remote ec2 172.33.X.X the ping does not go through and when I try to get out of the network I cannot. From the servers we can't ping the internet. Apparently it's a routing problem but I don't know which side.

Here is the architecture

EC2 ===> Fortigate 1 ===> tunnel ===> Fortigate 2 ===> EC2

But the traffic is blocked internally (between EC2 and Fortigate) and does not go out

Please i want some help

gfleming · ‎06-02-2023

Do you have a FW Policy that allows the traffic from LAN interface to WAN interface?

Cheers,
Graham

View solution in original post

gfleming · ‎05-31-2023

What does your VPC route table look like on either side?

Cheers,
Graham

Alex2 · ‎06-01-2023

Hello and thank you for your answer.

Here is the routing table at each point

- Private Subnet 1 routing table

Destination Target

172.31.X.X/16 local

0.0.0.0/0 ENI-LAN fortigate 1

-Public Subnet 1 routing table

Destination Target

0.0.0.0/0 IGW (Internet Gateway)

-Public subnet 2 routing table

Destination Target

0.0.0.0/0 IGW

-Private Subnet 2 routing table

Destination Target

172.31.X.X/16 local

172.32.X.X/16 local

172.33.X.X/16 local

0.0.0.0/0 ENI - LAN Fortigate 2

I hand over the architecture

EC2=======>Fortigate1=======>Fortigate2=======>EC2

172.31.X.X LAN: 172.31.X.Y LAN: 172.33.X.Y 172.33.X.X

Wan: 172.31.Y.Z Wan: 172.33.Y.Z

Public IP: 18.215.Z.Z Public IP : 52.5.Z.Z

gfleming · ‎06-01-2023

Private subnet 2 route table looks problematic. You have remote subnet 172.31.X.X/16 listed as local.

Cheers,
Graham

Alex2 · ‎06-01-2023

Thanks for update, i remove it now but i have this problem.

An ec2 instance behind a fortigate 1 and when I ping the LAN address 172.31.X.Y of the fortigate 1 and the ping goes through but when I ping the WAN address the ping does not go through. What are the ways to make them communicate. I have already configured access to fortigate 1 from the instance in the fortigate 1 security group and the routing table in the private subnet is redirecting all traffic to the LAN interface of the fortigate 1

gfleming · ‎06-01-2023

are you allowing pings on the FortiGate WAN interface?

Cheers,
Graham

Alex2 · ‎06-01-2023

I know that it is not good but i allow all traffic on WAN and LAN

gfleming · ‎06-01-2023

are you pinging the actual WAN ip address (172.x.X.X) assigned to the Fortigate interface or the elastic public ip assigned by AWS?

Cheers,
Graham

Alex2 · ‎06-01-2023

i try to ping the WAN ip address (172.X.X.X) as assigned to the Fortigate interface because the ec2 cannot have access to internet through fortigate

gfleming · ‎06-01-2023

Can you show your WAN interface config please? (show system interface <wan_port>)

Cheers,
Graham

Problem with Fortigate on AWS

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website