Hello, I'm currently working on a proof of concept (POC) involving two FortiGate firewalls: one located on-premises and the other in AWS. My objective is to access a test VM behind the AWS FortiGate, which is situated in the same private subnet and VPC. Interestingly, the AWS FortiGate can successfully reach the VM, and vice versa. However, I'm encountering difficulties when attempting to access the VM from the on-premises network. Upon investigation using a sniffer, I've observed that the traffic is indeed traversing the IPsec tunnel. I've also ensured that the relevant IP addresses are allowed in the VM's security group. Could someone please offer guidance on resolving this issue?
Hi Hassan
From the logs we see the icmp echo request enters the JK Home VPN but never exits from port2, I think you should check the related firewall policy and IPsec phase 2 selector source & destination subnet, they should allow the required source to the required destination.
Thanks @AEK. IPsec phase 2 selector source & destination subnet are 0.0.0.0/0.0.0.0
Also, the policies are in place as well.
Hello Hassan,
I suggest running a debug flow and verify if the packets are allowed/blocked by the FortiGate:
diag debug flow filter clear
diag debug flow filter addr 172.30.1.138 <src-ip> and
diag debug flow filter proto 1
diag debug flow trace start 100
diag debug enable
Hi @Hassan-wahab,
Please refer to this article to collect debug flow: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Regards,
Hi, @hbac & @syao
Attached are the debug logs and policies from AWS Fortigate.
FGT01 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 172.30.1.1, port1, [1/0]
C 172.30.1.0/25 is directly connected, port1
C 172.30.1.128/25 is directly connected, port2
Thank you for your assistance. I managed to resolve the issue. I realized that I had overlooked setting up a static route on AWS, where the Fortigate firewall recommended directing the private subnet traffic to the Fortigate's public NIC(Ending b71e). After configuring this route, I then added another route where I specified the destination as 0.0.0.0/0 and targeted the Fortigate's private NIC(Ending 8403). This solution resolved the problem, and I can now successfully reach EC2 instances in AWS from on-premises machines.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1778 | |
1116 | |
767 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.