I have a site to site VPN setup from Fortigate 200D too AWS VPC. The tunnels are up and active but I cannot seem to get the routing correct.
We are wanting all non-local traffic to go through the VPN tunnel to AWS. No matter what change I make traffice goes out the wan!. I stand corrected if I edit the static default route to use the VPN interface instead of the WAN ports the tunnels go down.
next
edit "AWS VPN"
set vdom "VDOM-A"
set ip 169.254.47.154 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.47.153
set snmp-index 19
set interface "port1"
next
edit "AWS VPN 2"
set vdom "VDOM-A"
set ip 169.254.45.246 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.45.245
set snmp-index 20
set interface "port1"
next
My Tunnels are setup as follow
config vpn ipsec phase1-interface
edit "AWS VPN"
set interface "port1"
set keylife 28800
set peertype any
set proposal aes128-sha1
set dhgrp 2
set remote-gw 3.85.156.247
set psksecret ENC PJpv/i53ceAXe8BOYrILtfAH6YVwgswMbckKMF/h7QnySTOBFi0dE0TSmZXZM03PG/tKjvFiPKRcwDJprN7SAvpmXWMbRw6ct0kvYISQ/dB3MANTpCnM0tU7k+y1WqsxRoYT5ytMHKVQN4zPgl81PdApw3lLCBs3JTtiUXQveRBMHgZHsy3A29l6VaZA8KnJfg+tYw==
next
edit "AWS VPN 2"
set interface "port1"
set keylife 28800
set peertype any
set proposal aes128-sha1
set dhgrp 2
set nattraversal disable
set remote-gw 34.204.21.180
set psksecret ENC 9u9RClwiMZOKCxraZHByC00S8HqmmxVhpspElSwGahDAWa9x7LwA4vcF0lOiYA/ClXoK6on9WlOHX19nqTQwbnnOdHcZd/0dVSu50F2dv8T1VXcrEgYDpE8cciOJThDU9UrgpjWbt9ImUohC2qNfpHmyk/sztTpagRQ+JCzWSOe5nreayJOPHaYsnTbIq+4DcxxaQA==
next
config vpn ipsec phase2-interface
edit "AWS VPN"
set phase1name "AWS VPN"
set proposal aes128-sha1
set dhgrp 2
set keepalive enable
set keylifeseconds 3600
set src-subnet 10.41.5.0 255.255.255.0
set dst-subnet 10.99.10.0 255.255.255.0
next
edit "AWS VPN 2"
set phase1name "AWS VPN 2"
set proposal aes128-sha1
set dhgrp 2
set keepalive enable
set keylifeseconds 3600
set src-subnet 10.41.5.0 255.255.255.0
set dst-subnet 10.99.10.0 255.255.255.0
next
end
config system link-monitor
edit "AWS1VPNFO"
set srcintf "AWS VPN"
set server "169.254.47.153"
set interval 2
next
edit "AWS2VPNFO"
set srcintf "AWS VPN 2"
set server "169.254.45.245"
set interval 2
next
end
static routes
next
edit 6
set dst 10.99.0.0 255.255.0.0
set priority 1
set device "AWS VPN"
next
edit 7
set dst 10.99.0.0 255.255.0.0
set priority 1
set device "AWS VPN 2"
next
end
config router policy
edit 1
set input-device "port2"
set src "10.41.5.0/255.255.255.0"
set dst "0.0.0.0/0.0.0.0"
set output-device "AWS VPN"
next
edit 2
set input-device "port2"
set src "10.41.5.0/255.255.255.0"
set dst "0.0.0.0/0.0.0.0"
set output-device "AWS VPN 2"
next
end
The policy routes are completely ignore for some reason and everything reverts back to the default static route.
Any help would be much appreciated.
Solved! Go to Solution.
I don't know anything specific about AWS VPCs. But to route all traffic, generally internet-bound, into a tunnel, you need to have a default route into the tunnel. Not a policy route. You need to set a specific static route, generally a /32 route, toward wan1 for VPN peer so that the VPN still comes up.
Since you have two VPNs, depending on how you want to utilize two connections, primary-backup, load-balance, etc., you might want to use either different distance, equal distance w/ different priority, or load-balance for those two static default routes.
I don't know anything specific about AWS VPCs. But to route all traffic, generally internet-bound, into a tunnel, you need to have a default route into the tunnel. Not a policy route. You need to set a specific static route, generally a /32 route, toward wan1 for VPN peer so that the VPN still comes up.
Since you have two VPNs, depending on how you want to utilize two connections, primary-backup, load-balance, etc., you might want to use either different distance, equal distance w/ different priority, or load-balance for those two static default routes.
Yes, in CLI they would look like below. The destination 0.0.0.0/0 is the default "dst" value so you wouldn't see it. Also the default distance is 10 and default priority is 0 (highest), which you don't see either. So if you want to change one of them to have a lower priority, you can configure like below. If you use priority insterad of distance, both default routes show in the routing table, as long as the tunnels are up, but outgoing sessions always use the priority 0 side, but still can receive packets and create incomeing sessions on the priority 10 side. You can play around this to understand the behaviors with those metrics.
Just don't forget to set another set of /32 routes to port1 to keep tunnels up.
config router static
edit x
set device "AWS VPN"
next
edit y
set device "AWS VPN2"
set priority 10
next
end
When I add the routes my tunnel goes down. I then added back the default gateway through the WAN and tunnel is up but all traffic goes through the WAN. I played with the ADmin distance but no luck. I started from scratch and have attached my config Tunnel is called AWS. This time I am only working with one tunnel. Not sure what I am missing Thanks
That's because you ignored my warning "adding /32 static routes" for the tunnels.
In your config with one tunnel, you needed to have below:
config router static
edit 0
set dst 3.214.248.182 255.255.255.255
set gateway 210.4.106.129
set device port1
next
end
Since a specific route wins over less specific ones (default routes), the tunnel would establish based on this route.
Also, you might want to check NAT configuration. You will need to deny NAT from the firewall policy.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.