- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Site-to-site between 100D and AWS
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site-to-site between 100D and AWS
Hello Everyone!
I would appreciate if someone could shed some light on my issue with IPSec VPN tunnel.
I have a pretty simple setup: Local Network (10.110.0.0/16), AWS VPC (172.10.10.0/24), and 100D firewall. I downloaded configs from AWS and build 2 redundant tunnels, which are up and passing "some" traffic. Everything is setup to pass all traffic from and to AWS without any explicit rules. I do interface-based VPN, so static route is setup to send all 172.10.10.20/24 traffic to VPN interface. The problem I'm having is that I can ping from AWS anything on 10.110.0.0 network, but I can't ping any AWS instances from my LAN.
I'm using "diagnose sniffer packet "MY_INTERFACE"" to see what's going on with the traffic and what I found out is, when I ping from my LAN, sniffer shows "279.429024 169.254.X.X -> 172.10.10.222: icmp: echo request" and I don't get any replies. However, if I specify source interface for my pings to be my firewall's local IP, I get replies back and sniffer shows the following "1208.781932 10.110.1.200 -> 172.10.10.222: icmp: echo request,
1208.821932 172.10.10.222 -> 10.110.1.200: icmp: echo reply".
I have similar tunnels (and they work as expected) from other locations and everything looks the same to me (I didn't setup original firewalls, but I built the network infrastructure in Amazon, so all static routes in Amazon are correct).
Thank you in advance!
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
and welcome to the forums.
You are using an APIPA IP address for your PC which is not routed across the tunnels. Supply a correct IP address from the local 10.110.1.x subnet and I bet it'll work.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a layer3 switch (10.110.1.1) in my LAN which has only one vlan setup 10.110.0.0/16 and route all 0.0.0.0 traffic to 10.110.1.200 (FW). So all computers that have static IPs with 10.110.1.1 as their default gateway have no issues communicating with each other and internet thru FW.
Also, it doesn't matter if I'm pinging from a computer connected to the switch or from FW using its console.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The diag debug flow filter command is your friend in this . It's probably due to a fwpolicy or snat enabled where it should be not. Ede is 100% in the earlier diagnostic but I would do a diag debug flow with a filter on the source /destination and review any output.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc NAT Traversal is Enabled for the actual tunnel. I tried Enable, Disable, Forced but that doesn't seem to make any difference. Phase 2 Selector for this tunnel has 10.110.0.0/16 as the Local Subnet and 172.10.10.0/24 as the Remote Subnet. Policy & Objects->IPv4 Policy has only NAT enabled between MGMT interface (which is connected to the switch) and WAN. any to Amazon and Amazon to any allows all without NAT. So in total I have only 3 policies. Network->Static Routes has only 2 static routes and Network->Policy Routes is empty. Here's the output when I try to ping 172.10.10.222 from FW console:
2016-04-25 10:48:07 id=20085 trace_id=1 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=1, 169.254.X.X:3328->172.10.10.222:8) from local. code=8, type=0, id=3328, seq=0." 2016-04-25 10:48:07 id=20085 trace_id=1 func=init_ip_session_common line=4868 msg="allocate a new session-00047c1a" 2016-04-25 10:48:07 id=20085 trace_id=1 func=ipsecdev_hard_start_xmit line=157 msg="enter IPsec interface-Amazon-1" 2016-04-25 10:48:07 id=20085 trace_id=1 func=ipsec_common_output4 line=764 msg="No matching IPsec selector, drop"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you run a new trace for the flow ? We need to see the fwpolicy-id and the following ""No matching IPsec selector, " means that src_id is NOT part of the encryption domain if I had to guess.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure how to see the fwpolicy_id, but it looks like my previous flow shows everything it can, as I'm only filtering by the ip addr. As far as the actual error "No matching IPsec selector", it is valid, because I don't have 169.254.X.X as the local subnet or IP as one of my Phase 2 selectors. The question is why do I have to add that address to selectors' list? It is the IP of my side of the tunnel.
If I do: execute ping-options source 10.110.1.200
execute ping 172.10.10.222
I get this flow:
2016-04-25 12:07:43 id=20085 trace_id=61 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=1, 10.110.1.200:3328->172.10.10.222:8) from local. code=8, type=0, id=3328, seq=0." 2016-04-25 12:07:43 id=20085 trace_id=61 func=init_ip_session_common line=4868 msg="allocate a new session-00001847" 2016-04-25 12:07:43 id=20085 trace_id=61 func=ipsecdev_hard_start_xmit line=157 msg="enter IPsec interface-Amazon-1" 2016-04-25 12:07:43 id=20085 trace_id=61 func=esp_output4 line=846 msg="IPsec encrypt/auth" 2016-04-25 12:07:43 id=20085 trace_id=61 func=ipsec_output_finish line=496 msg="send to 170.55.X.X via intf-wan2" 2016-04-25 12:07:43 id=20085 trace_id=62 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=1, 172.10.10.222:3328->10.110.1.200:0) from Amazon-1. code=0, type=0, id=3328, seq=0."
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's what you can do;
1: craft a policy with a snat pool of a valid address that's allowed across the tunnel (amazon-1 )
2: enable it ahead of the existing fwpolicies for "Amazon-1"
3: does it work when you ping from that host.
To answer the other question; your APIPA address is not part of the encryption domain hence it will generate a phase2 selector ( ispec error )
what do you have allow for tunnel Amazon-1 ( 172.16.10.0/24 )?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I mean, the questions are what is this APIPA address coming from, and why would a valid host use it? I would not recommend adding the APIPA subnet to the phase2 QM selectors. Try to find the reason this address is used in the first place.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ede_pfau
If you mean this address "169.254.X.X" then it's not APIPA - it is /30 ends of the tunnel, which were provided by Amazon.
Thanks everyone for your suggestions, I finally got it working. Here's what I did:
I double-triple checked my config and while I was tinkering with it I deleted Amazon Local to Remote policy from Policy & Objects->IPv4 Policy by mistake. I then re-added THE EXACT SAME policy and it started working!! I have no idea what was it, but I haven't changed anything else besides that. Could that be a glitch? I'm not sure.
While working on it, I also noticed that I have negotiation failures in progress IPsec phase 2:
I'm not sure if these errors affect the tunnel but I'd like to be able to resolve them. All settings (keylife, ike, etc) match both sides of the tunnel and traffic seems to be flowing ok, but I'm still worried.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Transit vlan from Nexus to Fortigate 113 Views
- Syslog to Zabbix > High CPU 189 Views
- Unable To Connect VPN 758 Views
- Mistenkly I I have disabled the... 537 Views
- Fortigate 100D - URL clicks in... 309 Views
Labels
-
FortiGate
7,154 -
FortiClient
1,412 -
5.2
801 -
5.4
639 -
FortiManager
619 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
374 -
FortiSwitch
372 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1062 | |
| 887 | |
| 527 | |
| 441 | |
| 151 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.