We are in the process of replacing a Meraki device with a FortiGate 80F. We attempted to migrate over but had to roll back after a critical service was not accessible.
We have IOT devices that use OpenVPN to connect to an OpenVPN server in AWS. Our AWS VPCs are attached to a Transit Gateway. We use AWS Site-to-Site VPN with Static routing to connect our Office to the Transit Gateway.
Hopefully this make sense: (There are other Subnets and VPCs so I have only included the relevant ones)
An IOT device on OpenVPN
172.22.22.154/16
|
|
OpenVPN Server
172.22.0.1/16 (VPN Address) - 10.10.0.1/16 (VPC Address)
|
|
VPC Route Table
172.22.0.0/16 -> (eni of OpenVPN Server)
10.10.0.0/16 -> Local VPC
192.168.1.0/24 -> Transit Gateway
192.168.2.0/24 -> Transit Gateway
|
|
Transit Gateway Route Table
10.10.0.0/16 -> VPC1 Attachment (Propagated)
172.22.0.0/16 -> VPC1 Attachment (Static)
192.168.1.0/24 -> VPN Attachment (Static)
192.168.2.0/24 -> VPN Attachment (Static)
|
|
AWS Transit Gateway
|
|
AWS Site to Site VPN (only one tunnel) Static Routes
|
|
AWS Customer Gateway
|
|
Meraki Device
WAN: 110.x.x.1/30 -> (it's gateway is 110.x.x.2)
LAN: 192.168.1.254/24
Route Table:
10.10.0.0/16 -> Site-to-Site VPN (Static)
172.22.0.0/16 -> Site-to-Site VPN (Static)
| |
| |
Router (L3 Switch) Workstation on Remote Worker VPN (l2tp over IPsec)
192.168.1.1 192.168.2.1/24
|
|
Workstation
192.168.1.2
Over the weekend we swapped the Meraki Device with the FortiGate 80F. We created a new Site-to-Site VPN in AWS using Dynamic routing this time. The Client Remote Access VPN that was on the Meraki was replicated on the FortiGate. All was going well until trying to communicate with a device on the 172.22.0.0/24 network.
This is the new setup: (Differences are in Bold)
An IOT device on OpenVPN
172.22.22.154/16
|
|
OpenVPN Server
172.22.0.1/16 - 10.10.0.1/16
|
|
VPC Route Table
172.22.0.0/16 -> (eni of OpenVPN Server)
10.10.0.0/16 -> Local VPC
192.168.1.0/24 -> Transit Gateway
192.168.2.0/24 -> Transit Gateway
|
|
Transit Gateway Route Table
10.10.0.0/16 -> VPC1 Attachment (Propagated)
172.22.0.0/16 -> VPC1 Attachment (Static)
192.168.1.0/24 -> VPN Attachment (Propagated)
192.168.2.0/24 -> VPN Attachment (Propagated)
|
|
AWS Transit Gateway
|
|
AWS Site to Site VPN (both tunnels) Dynamic Routing
|
|
AWS Customer Gateway
|
|
FortiGate 80F 7.0.5
WAN: 110.x.x.1/30 -> (it's gateway is 110.x.x.2)
LAN: 192.168.1.254/24
Route Table:
10.10.0.0/16 -> Site-to-Site VPN (BGP)
172.22.0.0/16 -> Site-to-Site VPN (BGP)
The 2 tunnels are in an SD-WAN Zone together
| |
| |
Router (L3 Switch) Workstation on Remote Worker VPN (l2tp over IPsec)
192.168.1.1 192.168.2.1/24
|
|
Workstation
192.168.1.2
I don't have it in place at the moment so cant get full details but this what I saw from the 192.168.1.0/24 network.
diag sniffer packet any 'host 10.10.0.1 and icmp' 4 0
-> AWS VPN Tunnel
diag sniffer packet any 'host 172.22.22.154 and icmp' 4 0
-> wan1
When I do a route lookup on the FortiGate to 172.22.22.154 it shows the BGP route to 172.22.0.0/16 via Tunnel 1 and Tunnel 2
The firewall has:
From | To | Source | Destination | NAT
Internal | AWS VPN Zone | 192.168.1.0/24 | 10.10.0.0/16 | No
172.22.0.0/16
AWS VPN Zone | Internal | 10.10.0.0/16 | 192.168.1.0/24 | No
172.22.0.0/16
l2t.root | AWS VPN Zone | 192.168.2.0/24 | 10.10.0.0/16 | No
172.22.0.0/16
AWS VPN Zone | l2t.root | 10.10.0.0/16 | 192.168.2.0/24 | No
172.22.0.0/16
We are new to Fortinet so would some guidance on where to go from here would be amazing.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for your question. Based on your description and the fact, that some networks are able to communicate and some not means that there is probably either problem with firewall policy or with some routes withing BGP. First thing what I would do is to run debug flow, to understand what is FortiGate doing:
https://docs.fortinet.com/document/fortigate/6.2.7/cookbook/54688/debugging-the-packet-flow
This debug will tell you, if the traffic is allowed, which should be based on the details provided. Then it will tell you if correct interface is selected as destination. It can also show you if there are any problems with selectors within IPSEC. But my guess is that you have 0.0.0.0/0 as source and destination selectors.
Also the packet capture can tell you if packet is being sent out via correct interface and if reply is received. If you have 2 tunnels, it might be possible that the traffic is going out via VPN1 and reply is coming back via VPN2 and it that case FortiGate might drop the traffic unless some modifications are made. You might test it with only one site to site VPN up and test if the traffic for all destinations will be working.
Thank you for the direction this gave me a bit to work with.
I set up the 80F in a dev environment. It has just wan2 connected and only 1 tunnel to AWS.
Looking at the flow log there was a reference to "Match policy routing id=..." for traffic to the 172.22.0.0/16 network. This was an SD-WAN Rule telling some networks to favor wan1. I have removed these rules for now but it is something that we want to work out.
id=20085 trace_id=55 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.7.188:1->172.22.22.129:2048) tun_id=0.0.0.0 from internal. type=8, code=0, id=1, seq=144."
id=20085 trace_id=55 func=init_ip_session_common line=6003 msg="allocate a new session-00006038, tun_id=0.0.0.0"
id=20085 trace_id=55 func=rpdb_srv_match_input line=1028 msg="Match policy routing id=2133393410: to 172.22.22.129 via ifindex-6"
id=20085 trace_id=55 func=vf_ip_route_input_common line=2604 msg="find a route: flag=04000000 gw-10.0.0.1 via wan2"
Using this map as a summary of the map in the original post:
Device on VPN (172.22.22.154/16)
|
|
OpenVPN Server (10.10.0.1/16 and 172.22.0.1/16)
|
|
Transit Gateway and Site-to-Site VPN
|
|
Meraki (192.168.1.254/24)
|
|
Router/L3 Switch (192.168.1.1/24)
|
|
Workstation (192.168.1.2)
We used TCPDump on the OpenVPN Server:
Ping to OpenVPN VPC Address
In ethertype IPv4 (0x0800), length 76: 192.168.1.2 > 10.10.0.1: ICMP echo request, id 1, seq 39, length 40
Out ethertype IPv4 (0x0800), length 76: 10.10.0.1 > 192.168.1.2: ICMP echo reply, id 1, seq 39, length 40
Ping to OpenVPN VPN Address
In ethertype IPv4 (0x0800), length 76: 192.168.1.2 > 172.22.0.1: ICMP echo request, id 1, seq 43, length 40
Out ethertype IPv4 (0x0800), length 76: 172.22.0.1 > 192.168.1.2: ICMP echo reply, id 1, seq 43, length 40
Ping to Device on VPN
In ethertype IPv4 (0x0800), length 76: 192.168.1.2 > 172.22.22.154: ICMP echo request, id 1, seq 47, length 40
Out ethertype IPv4 (0x0800), length 76: 172.22.0.1 > 172.22.22.154: ICMP echo request, id 1, seq 47, length 40
In ethertype IPv4 (0x0800), length 76: 172.22.22.126 > 172.22.0.1: ICMP echo reply, id 1, seq 47, length 40
Out ethertype IPv4 (0x0800), length 76: 172.22.22.154 > 192.168.1.2: ICMP echo reply, id 1, seq 47, length 40
Basically the above is what we want to see when we swap to the FortiGate device.
Swapping the Meraki for the FortiGate:
Device on VPN (172.22.22.154/16)
|
|
OpenVPN Server (10.10.0.1/16 and 172.22.0.1/16)
|
|
Transit Gateway and Site-to-Site VPN
|
|
FORTIGATE 80F (192.168.7.254/24) <- Temp Dev network
|
|
Workstation (192.168.7.2/24) <- Temp Dev network
Using TCPDump on the OpenVPN Server:
Ping to OpenVPN VPC Address
In ethertype IPv4 (0x0800), length 76: 192.168.7.2 > 10.10.0.1: ICMP echo request, id 1, seq 617, length 40
Out ethertype IPv4 (0x0800), length 76: 10.10.0.1 > 192.168.7.2: ICMP echo reply, id 1, seq 617, length 40
When we Ping to OpenVPN VPN Address and Ping to Device on VPN the workstation gets "Request timed out." and TCPDump shows nothing.
These are the results of a debug flow:
On the FortiGate:
diagnose debug flow filter daddr 10.10.0.1
diagnose debug enable
diagnose debug flag trace start
On the workstation:
tracert 10.10.0.6
Result:
id=20085 trace_id=186 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.7.2:1->10.10.0.1:2048) tun_id=0.0.0.0 from internal. type=8, code=0, id=1, seq=639."
id=20085 trace_id=186 func=init_ip_session_common line=6003 msg="allocate a new session-00013f90, tun_id=0.0.0.0"
id=20085 trace_id=186 func=vf_ip_route_input_common line=2604 msg="find a route: flag=04000000 gw-XX.XX.XX.XX via AWS-WAN2-TUN1"
id=20085 trace_id=186 func=fw_forward_handler line=874 msg="Allowed by Policy-12:"
On the FortiGate:
diagnose debug flow filter daddr 172.22.0.1
diagnose debug flag trace start
On the Workstation:
tracert 172.22.0.1
Result:
id=20085 trace_id=185 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.7.2:1->172.22.0.1:2048) tun_id=0.0.0.0 from internal. type=8, code=0, id=1, seq=630."
id=20085 trace_id=185 func=init_ip_session_common line=6003 msg="allocate a new session-00013e7a, tun_id=0.0.0.0"
id=20085 trace_id=185 func=vf_ip_route_input_common line=2604 msg="find a route: flag=04000000 gw-XX.XX.XX.XX via AWS-WAN2-TUN1"
id=20085 trace_id=185 func=fw_forward_handler line=874 msg="Allowed by Policy-12:"
We have reviewed the iptables rules on the OpenVPN server and these are the relevant rules for these tests (192.168.7.0/24 is within 192.168.6.0/23):
## 192.168.6.0/23 ##
# ACCEPT ICMP ping to tun0 172.22.0.0/16
iptables -A FORWARD -i eth0 -s 192.168.6.0/23 -p icmp -o tun0 -d 172.22.0.0/16 -j ACCEPT
# ACCEPT already established connections from tun0 172.22.0.0/16
iptables -A FORWARD -m state -i tun0 -s 172.22.0.0/16 -o eth0 -d 192.168.6.0/23 --state ESTABLISHED,RELATED -j ACCEPT
# MASQUERADE Forwards to tun0 172.22.0.0/16 to avoid the need to push a route
iptables -t nat -A POSTROUTING -s 192.168.6.0/23 -o tun0 -d 172.22.0.0/16 -j MASQUERADE
Thank you for the direction this gave me a bit to work with.
I set up the 80F in a dev environment. It has just wan2 connected and only 1 tunnel to AWS.
Looking at the flow log there was a reference to "Match policy routing id=..." for traffic to the 172.22.0.0/16. This was an SD-WAN Rule telling some networks to favor wan1. I have removed these rules for now but it is something that we want to work out.
id=20085 trace_id=55 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.7.2:1->172.22.22.154:2048) tun_id=0.0.0.0 from internal. type=8, code=0, id=1, seq=144."
id=20085 trace_id=55 func=init_ip_session_common line=6003 msg="allocate a new session-00006038, tun_id=0.0.0.0"
id=20085 trace_id=55 func=rpdb_srv_match_input line=1028 msg="Match policy routing id=2133393410: to 172.22.22.154 via ifindex-6"
id=20085 trace_id=55 func=vf_ip_route_input_common line=2604 msg="find a route: flag=04000000 gw-XX.XX.XX.XX via wan2"
Using this map as a summary of the map in the original post:
Device on VPN (172.22.22.154/16)
|
|
OpenVPN Server (10.10.0.1/16 and 172.22.0.1/16)
|
|
Transit Gateway and Site-to-Site VPN
|
|
Meraki (192.168.1.254/24)
|
|
Router/L3 Switch (192.168.1.1/24)
|
|
Workstation (192.168.1.2/24)
Using TCPDump on the OpenVPN Server:
Ping to OpenVPN Server VPC Address
In ethertype IPv4 (0x0800), length 76: 192.168.1.2 > 10.10.0.1: ICMP echo request, id 1, seq 39, length 40
Out ethertype IPv4 (0x0800), length 76: 10.10.0.1 > 192.168.1.2: ICMP echo reply, id 1, seq 39, length 40
Ping to OpenVPN Server VPN Address
In ethertype IPv4 (0x0800), length 76: 192.168.1.2 > 172.22.0.1: ICMP echo request, id 1, seq 43, length 40
Out ethertype IPv4 (0x0800), length 76: 172.22.0.1 > 192.168.1.2: ICMP echo reply, id 1, seq 43, length 40
Ping to Device on VPN
In ethertype IPv4 (0x0800), length 76: 192.168.1.2 > 172.22.22.154: ICMP echo request, id 1, seq 47, length 40
Out ethertype IPv4 (0x0800), length 76: 172.22.0.1 > 172.22.22.154: ICMP echo request, id 1, seq 47, length 40
In ethertype IPv4 (0x0800), length 76: 172.22.22.154 > 172.22.0.1: ICMP echo reply, id 1, seq 47, length 40
Out ethertype IPv4 (0x0800), length 76: 172.22.22.154 > 192.168.1.2: ICMP echo reply, id 1, seq 47, length 40
Basically the above is what we want to see with the new device.
Then testing with the FortiGate in place:
Device on VPN (172.22.22.154/16)
|
|
OpenVPN Server (10.10.0.1/16 and 172.22.0.1/16)
|
|
Transit Gateway and Site-to-Site VPN
|
|
FORTIGATE 80F (192.168.7.254/24) <- Testing network
|
|
Workstation (192.168.7.2) <- Testing network
Using TCPDump on the OpenVPN Server:
Ping to OpenVPN VPC Address
In ethertype IPv4 (0x0800), length 76: 192.168.7.2 > 10.10.0.1: ICMP echo request, id 1, seq 617, length 40
Out ethertype IPv4 (0x0800), length 76: 10.10.0.1 > 192.168.7.2: ICMP echo reply, id 1, seq 617, length 40
When we Ping to OpenVPN VPN Address and Ping to Device on VPN the workstation gets "Request timed out." and TCPDump shows nothing.
These are the results of debug flow on the FortiGate:
On the FortiGate:
diagnose debug flow filter daddr 10.10.0.1
diagnose debug enable
diagnose debug flag trace start
On the Workstation:
tracert 10.10.0.1
Result:
id=20085 trace_id=186 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.7.2:1->10.10.0.1:2048) tun_id=0.0.0.0 from internal. type=8, code=0, id=1, seq=639."
id=20085 trace_id=186 func=init_ip_session_common line=6003 msg="allocate a new session-00013f90, tun_id=0.0.0.0"
id=20085 trace_id=186 func=vf_ip_route_input_common line=2604 msg="find a route: flag=04000000 gw-XX.XX.XX.XX via AWS-WAN2-TUN1"
id=20085 trace_id=186 func=fw_forward_handler line=874 msg="Allowed by Policy-12:"
On the FortiGate:
diagnose debug flow filter daddr 172.22.0.1
diagnose debug flag trace start
On the Workstation:
tracert 172.22.0.1
Result:
id=20085 trace_id=185 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.7.2:1->172.22.0.1:2048) tun_id=0.0.0.0 from internal. type=8, code=0, id=1, seq=630."
id=20085 trace_id=185 func=init_ip_session_common line=6003 msg="allocate a new session-00013e7a, tun_id=0.0.0.0"
id=20085 trace_id=185 func=vf_ip_route_input_common line=2604 msg="find a route: flag=04000000 gw-XX.XX.XX.XX via AWS-WAN2-TUN1"
id=20085 trace_id=185 func=fw_forward_handler line=874 msg="Allowed by Policy-12:"
We reviewed the iptables rules on the OpenVPN Server. These are the rules relevant to our tests:
## 192.168.6.0/23 ##
# ACCEPT ICMP ping to tun0 172.22.0.0/16
iptables -A FORWARD -i eth0 -s 192.168.6.0/23 -p icmp -o tun0 -d 172.22.0.0/16 -j ACCEPT
# ACCEPT already established connections from tun0 172.22.0.0/16
iptables -A FORWARD -m state -i tun0 -s 172.22.0.0/16 -o eth0 -d 192.168.6.0/23 --state ESTABLISHED,RELATED -j ACCEPT
# MASQUERADE Forwards to tun0 172.22.0.0/16 to avoid the need to push a route
iptables -t nat -A POSTROUTING -s 192.168.6.0/23 -o tun0 -d 172.22.0.0/16 -j MASQUERADE
Thank you for the direction this gave me a bit to work with.
I set up the 80F in a dev environment. It has just wan2 connected and only 1 tunnel to AWS.
Looking at the flow log there was a reference to "Match policy routing id=..." for traffic to the 172.22.0.0/16 network. This was an SD-WAN Rule telling some networks to favor wan1. I have removed these rules for now but it is something that we want to work out.
id=20085 trace_id=55 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.7.2:1->172.22.22.154:2048) tun_id=0.0.0.0 from internal. type=8, code=0, id=1, seq=144."
id=20085 trace_id=55 func=init_ip_session_common line=6003 msg="allocate a new session-00006038, tun_id=0.0.0.0"
id=20085 trace_id=55 func=rpdb_srv_match_input line=1028 msg="Match policy routing id=2133393410: to 172.22.22.154 via ifindex-6"
id=20085 trace_id=55 func=vf_ip_route_input_common line=2604 msg="find a route: flag=04000000 gw-XX.XX.XX.XX via wan2"
Using this map as a summary of the map in the original post
Device on VPN (172.22.22.154/16)
|
|
OpenVPN Server (10.10.0.1/16 and 172.22.0.1/16)
|
|
Transit Gateway and Site-to-Site VPN
|
|
Meraki (192.168.1.254/24)
|
|
Router/L3 Switch (192.168.1.1/24)
|
|
Workstation (192.168.1.2/24)
Hello,
Based on your last reply, it looks also you have configured SD-WAN in your FGT.
have you looked at the KB below, it might have some useful info for your case
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-FortiGate-SD-WAN-with-an-IPSEC-V...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.