Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DasYeti
New Contributor

Created on ‎09-01-2020 10:10 AM

Site-to-site VPN traffic issues to AWS VPC

I have inherited a Fortigate 60E running 5.4.4.  I am attempting to setup a VPN connection to a AWS VPC (setup with instructions from https://docs.fortinet.com/document/fortigate/6.2.0/aws-cookbook/506140/connecting-a-local-fortigate-...) .  I have established the connection and the tunnel is up.  I can ping from an EC2 instance in the VPC to devices in my local office.  However, I cannot ping items in the VPC from my local office.  When trying to do a tracert, it doesn't even make one hop before failing (as if traffic is not routing from the local subnet to the AWS subnet).  Pinging the public IP is successful.  Unfortunately, I am not that familiar with the fortiOS which is making things more challenging as it is not very intuitive to me.

 

I have static routes configured to hit the AWS subnet

I've been trying some different IPv4 policy setting to no avail

phase2 on the VPN is set to 0.0.0.0/0.0.0.0 for both local and remote.

 

I am at a loss as to where to look next.  Any guidance would be apprciated.

 

 

 

 

 

5964
0 Kudos
4 REPLIES 4
Yurisk
SuperUser
SuperUser

Created on ‎09-01-2020 09:53 PM

There are quite a few things that cause such behavior, hard to say without seeing the config, but ...

- Make sure NAT is not enabled on the security rule from LAN to VPC LAN.

- Make sure routing is correct: # get route info routing all

- Do a sniffer to see if your pings from LAN reach and exit the correct interface, say your lan in VPC is 10.10.10.0/24:

# dia sni packet any 'icmp and 10.10.10.0/24' 

 

Yuri Slobodyanyuk
Yuri Slobodyanyuk
4696
0 Kudos
HA
Contributor

Created on ‎09-01-2020 11:18 PM

Hi,

 

Be sure to disable source/destination check on each EC2 instance you want to reach...

 

Regards,

 

HA

4696
0 Kudos
SanZ
New Contributor

Created on ‎09-02-2020 10:35 AM

Can you share config? 

 

4695
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎09-03-2020 09:48 AM

I wrote this 5+ years ago and nothing really has change , you might want to study your config and compare

 

http://socpuppet.blogspot.com/2014/02/dual-vpc-terminate-on-fortigate-firewall.html

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
4695
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.