Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
toan2552
New Contributor

aws and fortigate

Hi,

I have an IPsec connection set up from AWS to Fortigate.

In AWS, there's a private subnet containing various services, including EC2 instances.

Within my Fortinet, there are two networks - a DMZ network and an internal network, and they can communicate with the EC2 instances without any issues.

However, I'm currently facing a challenge: I want to enable internet access for the EC2 instances through the IPsec connection, following this path:

EC2 ===> Fortigate 1 ===> Internet

To achieve this, I've configured the AWS route table to have a route with destination 0.0.0.0/0 pointing to the virtual private gateway (VGW) to handle internet-bound traffic.

On the Fortigate side, I've implemented two policies. The first policy is to allow traffic from the WAN to AWS IPsec, and the second policy is to allow traffic from AWS IPsec to the WAN.

Unfortunately, despite these configurations, the setup isn't functioning as expected. When capturing traffic on the Fortigate, the results show:

1 0.000000 192.168.16.44 8.8.8.8 ICMP 60 Echo (ping) request id=0x0001, seq=51820/27850, ttl=128 (no response found!)

This suggests that the ping request from 192.168.16.44 (presumably one of the EC2 instances) to 8.8.8.8 (Google's DNS server) did not receive a response.

I'd appreciate any guidance or suggestions to troubleshoot and resolve this issue.

Thank you.

 

3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Not sure about any specifics on AWS. But generally if you simply point the default route into a tunnel with any routers or FWs, the tunnel won't come up any more because there is no default route to reach the peer over the internet interface. 

Likely you need to have a /32 route for the FGT's wan IP address to the internet on the aws side. If it's dynamic IP, you need to set up FortiDDNS then use the DNS name for the /32 route.

 

Toshi

sjoshi
Staff
Staff

Dear toan2552,

 

Thank you for posting to the Fortinet Community Forum.

 

Problem Description:-

aws and fortigate

 

From the update I believe you want to route the internet traffic for EC2 instances through the FGT.

In that case there should be default route pointed towards the IPSEC interface on AWS side.

Further for the vpn connection make sure static route is present towards the FGT wan ip from AWS wan interface.

 

Now enable NAT on the firewall policy from tunnel to wan.

If you still face the issue, please share below output:-

diagnose sniffer packet any 'host 1.1.1.1 and icmp' 4 0 l

 

Let us know if this helps.

Thanks

Salon Raj Joshi
toan2552

Dear Salon,

I show you the diagnose

diagnose sniffer packet any 'host 192.168.16.44 and icmp' 4 0 l
interfaces=[any]
filters=[host 192.168.16.44 and icmp]
2023-07-20 09:58:30.882948 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:35.887153 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:40.908303 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:45.908813 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:50.909318 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:55.910043 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:00.910546 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:05.911074 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:10.911382 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:15.911851 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:20.912448 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request

 

the 192.168.16.44 is e2c machine, it has not connection to internet.

The aws vpn route 0.0.0.0/0 to vgw-0a0c479899dd6fb2c 

I thing that it doesn't know how to return to 192.168.16.44 because I have ping from 192.168.7.4 (internal address)  to 192.168.16.44 but not ping from 192.168.16.44 to 192.168.7.4

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors