Hi,
I have an IPsec connection set up from AWS to Fortigate.
In AWS, there's a private subnet containing various services, including EC2 instances.
Within my Fortinet, there are two networks - a DMZ network and an internal network, and they can communicate with the EC2 instances without any issues.
However, I'm currently facing a challenge: I want to enable internet access for the EC2 instances through the IPsec connection, following this path:
EC2 ===> Fortigate 1 ===> Internet
To achieve this, I've configured the AWS route table to have a route with destination 0.0.0.0/0 pointing to the virtual private gateway (VGW) to handle internet-bound traffic.
On the Fortigate side, I've implemented two policies. The first policy is to allow traffic from the WAN to AWS IPsec, and the second policy is to allow traffic from AWS IPsec to the WAN.
Unfortunately, despite these configurations, the setup isn't functioning as expected. When capturing traffic on the Fortigate, the results show:
1 0.000000 192.168.16.44 8.8.8.8 ICMP 60 Echo (ping) request id=0x0001, seq=51820/27850, ttl=128 (no response found!)
This suggests that the ping request from 192.168.16.44 (presumably one of the EC2 instances) to 8.8.8.8 (Google's DNS server) did not receive a response.
I'd appreciate any guidance or suggestions to troubleshoot and resolve this issue.
Thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Not sure about any specifics on AWS. But generally if you simply point the default route into a tunnel with any routers or FWs, the tunnel won't come up any more because there is no default route to reach the peer over the internet interface.
Likely you need to have a /32 route for the FGT's wan IP address to the internet on the aws side. If it's dynamic IP, you need to set up FortiDDNS then use the DNS name for the /32 route.
Toshi
Dear toan2552,
Thank you for posting to the Fortinet Community Forum.
Problem Description:-
aws and fortigate
From the update I believe you want to route the internet traffic for EC2 instances through the FGT.
In that case there should be default route pointed towards the IPSEC interface on AWS side.
Further for the vpn connection make sure static route is present towards the FGT wan ip from AWS wan interface.
Now enable NAT on the firewall policy from tunnel to wan.
If you still face the issue, please share below output:-
diagnose sniffer packet any 'host 1.1.1.1 and icmp' 4 0 l
Let us know if this helps.
Thanks
Dear Salon,
I show you the diagnose
diagnose sniffer packet any 'host 192.168.16.44 and icmp' 4 0 l
interfaces=[any]
filters=[host 192.168.16.44 and icmp]
2023-07-20 09:58:30.882948 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:35.887153 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:40.908303 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:45.908813 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:50.909318 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:58:55.910043 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:00.910546 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:05.911074 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:10.911382 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:15.911851 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
2023-07-20 09:59:20.912448 FG-AWS-2 in 192.168.16.44 -> 8.8.8.8: icmp: echo request
the 192.168.16.44 is e2c machine, it has not connection to internet.
The aws vpn route 0.0.0.0/0 to vgw-0a0c479899dd6fb2c
I thing that it doesn't know how to return to 192.168.16.44 because I have ping from 192.168.7.4 (internal address) to 192.168.16.44 but not ping from 192.168.16.44 to 192.168.7.4
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1629 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.