Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hassan-wahab
New Contributor II

Created on ‎03-23-2024 06:31 PM Edited on ‎03-23-2024 06:34 PM

on-prem Fortigate can't reach EC2 VM via AWS Fortigate IPSEC

Hello, I'm currently working on a proof of concept (POC) involving two FortiGate firewalls: one located on-premises and the other in AWS. My objective is to access a test VM behind the AWS FortiGate, which is situated in the same private subnet and VPC. Interestingly, the AWS FortiGate can successfully reach the VM, and vice versa. However, I'm encountering difficulties when attempting to access the VM from the on-premises network. Upon investigation using a sniffer, I've observed that the traffic is indeed traversing the IPsec tunnel. I've also ensured that the relevant IP addresses are allowed in the VM's security group. Could someone please offer guidance on resolving this issue?sniffer.JPG

Labels:
325
0 Kudos
1 Solution
Hassan-wahab
New Contributor II

Created on ‎03-25-2024 04:04 PM Edited on ‎03-25-2024 04:05 PM

Thank you for your assistance. I managed to resolve the issue. I realized that I had overlooked setting up a static route on AWS, where the Fortigate firewall recommended directing the private subnet traffic to the Fortigate's public NIC(Ending b71e). After configuring this route, I then added another route where I specified the destination as 0.0.0.0/0 and targeted the Fortigate's private NIC(Ending 8403). This solution resolved the problem, and I can now successfully reach EC2 instances in AWS from on-premises machines.aws.JPGlogs2.JPG

View solution in original post

216
6 REPLIES 6
AEK
SuperUser
SuperUser

Created on ‎03-24-2024 01:03 AM

Hi Hassan

From the logs we see the icmp echo request enters the JK Home VPN but never exits from port2, I think you should check the related firewall policy and IPsec phase 2 selector source & destination subnet, they should allow the required source to the required destination.

AEK
AEK
296
Hassan-wahab
New Contributor II

Created on ‎03-24-2024 02:21 PM

Thanks @AEKIPsec phase 2 selector source & destination subnet are 0.0.0.0/0.0.0.0
Also, the policies are in place as well. 

270
0 Kudos
syao
Staff
Staff

Created on ‎03-24-2024 10:09 PM

Hello Hassan,

 

I suggest running a debug flow and verify if the packets are allowed/blocked by the FortiGate:

diag debug flow filter clear

diag debug flow filter addr 172.30.1.138 <src-ip> and
diag debug flow filter proto 1
diag debug flow trace start 100
diag debug enable

259
hbac
Staff
Staff

Created on ‎03-25-2024 08:48 AM

Hi @Hassan-wahab,

 

Please refer to this article to collect debug flow: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards,

243
Hassan-wahab
New Contributor II
In response to hbac

Created on ‎03-25-2024 02:09 PM

Hi, @hbac & @syao 
Attached are the debug logs and policies from AWS Fortigate. 

FGT01 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [5/0] via 172.30.1.1, port1, [1/0]
C 172.30.1.0/25 is directly connected, port1
C 172.30.1.128/25 is directly connected, port2



logs.JPGpolicies.JPG

225
0 Kudos
Hassan-wahab
New Contributor II

Created on ‎03-25-2024 04:04 PM Edited on ‎03-25-2024 04:05 PM

Thank you for your assistance. I managed to resolve the issue. I realized that I had overlooked setting up a static route on AWS, where the Fortigate firewall recommended directing the private subnet traffic to the Fortigate's public NIC(Ending b71e). After configuring this route, I then added another route where I specified the destination as 0.0.0.0/0 and targeted the Fortigate's private NIC(Ending 8403). This solution resolved the problem, and I can now successfully reach EC2 instances in AWS from on-premises machines.aws.JPGlogs2.JPG

217
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.