Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rg_586
New Contributor III

Created on ‎12-16-2022 04:22 AM

Fortinet 201E v7.2.2 - Site to site VPN with AWS VPC - link-monitor problem - ping fails

Hi.

I am currently configuring Site to Site VPN using Amazon VPC tunnels to my Fortinet 201E Firewalls running v7.2.2.

The configuration involves 2 IPSec tunnels configured in AWS. I have attached the Configuration below that AWS allows the user to download once they have created a Site to Site VPN.

Where the problem begins, in the configuration file the instructions ask the user to use gwdetect which in later versions is link-monitor which will allow me to switch from the primary ipsec tunnel to the secondary tunnel.

I have configured link-monitor using the guide https://docs.fortinet.com/document/fortigate/7.2.2/cli-reference/122620/config-system-link-monitor

However I can get the link-monitor to ping out to any 10.X.X.X address but not the 169.X.X.X address in the AWS Configuration, I run the command on the Fortinet diag sys link-monitor status and the ping to the 169.X.X.X address is dead.

So I am asking for some help or someone with experience configuring Site to Site VPN using Amazon VPC to Fortinet Firewall please.

 

 

! Amazon Web Services
! Virtual Private Cloud

! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
!
! Your VPN Connection ID 		              : vpn-05303c885396bac29
! Your Virtual Private Gateway ID         : 
! Your Customer Gateway ID		            : cgw-007a8df3aeee14552
!
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway.
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration

Go to  VPN --> IPSEC Tunnels --> Create New (drop down) --> Select IPSEC Tunnel

VPN Creation Wizard Window appears

Select Template Type as “Custom”

Provide a Name for the VPN connection (Name must be shorter than 15 chars, best if shorter than 12): vpn-05303c885396bac29-0

New VPN Tunnel Window Appears (Here we configure the VPN settings):

Under “Network” Section:
a. IP Version:     IPv4
b. Remote Gateway: Static IP Address
c. IP address: 192.168.100.0
d. Local Interface: wan1
e. Local Gateway: Select Specify and enter WAN port IP (Public IP)
f. Dead Peer Detection: Enable by selecting On Idle/ On Demand
g. Authentication Method: Pre-shared Key
h. Pre-Shared Key: emirTvcMSAR8nOjrpbdHFIH6PegZeDJa
i. IKE Version: 2
Phase 1 Proposal:
j.  Encryption: aes128
k. Authentication: sha1
l. DH group: 2     ! and deselect 5
m. Keylife: 28800 seconds

! NAT Traversal is enabled by default but if your FortiGate device is not behind a NAT/PAT device, please deselect NAT Traversal.

! --------------------------------------------------------------------------------
! #2: IPSec Configuration

Under Phase 2 Selectors --> New Phase 2
a.	Name:  vpn-05303c885396bac29-0
b.	Local Address: LAN subnet behind Fortigate/0.0.0.0/0
c.	Remote Address: AWS Private Subnet/0.0.0.0/0

Under Advanced
d.	Encryption: aes128
e.	Authentication: sha1
f.	Select Enable Replay Detection
g.	Select Perfect Forward Secrecy
h.	DH Group: 2 ! and deselect 5
i.	Keylife: 3600 seconds
j.	Enable Auto-negotiate   ! Autokey Keep Alive is enabled automatically when Auto-negotiate is enabled
k.	Click Ok

! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration

! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
!
! The address of the interface is configured with the setup for your
! Customer Gateway.  If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
! This is required in order for tunnel failover via gwdetect to function
!
! Perform this from the Global VDOM.

Go to Network Tab --> Interface --> wan1 and edit vpn-05303c885396bac29-0

a. IP : 169.254.84.154
b. Remote IP: 169.254.84.153/30
c. Select Ping
d. Administrative Status: Up
e. Select Ok.

!You can set MTU and MSS on the tunnel by performing this from the CLI:
 config global
 config system interface
  edit "vpn-05303c885396bac29-0" ! This name will be the same as the VPN tunnel name
    set mtu-override enable
    set mtu 1427
    set tcp-mss 1379
   next
end

! --------------------------------------------------------------------------------
! #4 Static Route Configuration
Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with the prefix 10.0.0.0/16 is provided below:
!
! This is configured from the root VDOM


Go to Network Tab --> Static Routes --> Create New

a. Destination: Subnet (10.0.0.0/16)
b. Interface: vpn-05303c885396bac29-0 ! This is the VPN tunnel interface
c. Click Ok

! Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the
! tunnels, we would want to failover the traffic to the second tunnel. This is done by using "gwdetect" in fortigate.
! The gwdetect command will ping the other end of the tunnel, and check if the tunnel is up. If the pings fail, it will
! remove the static route from the routing table, and the second route in the table will become active.
!
! This can be done only using the CLI.
!
! The following config will tell the Fortigate device, what IP it should ping to test the tunnel. This IP should be
! the inside IP address of the virtual private gateway.
! This is required in order for tunnel failover via gwtect to function. Additionally, this is required to keep the tunnel up, since
! traffic must be sent from your side of the VPN tunnel to prevent the tunnel from being taken down.

config vdom
    edit root
        config router gwdetect
        edit 1
        set interface "vpn-05303c885396bac29-0" ! This is the VPN tunnel interface
        set server "169.254.84.153"

! server IP is the AWS inside IP

! Using the following command, you can set the interval and failtime for gwdetect. Interval is number of seconds
! between pings. Failtime is the number of lost consecutive pings.Using the respective values of 2 and 5, your tunnel
! will failover in 10 seconds.

        set interval 2
        set failtime 5
    next
end

! --------------------------------------------------------------------------------
! #5: Firewall Policy Configuration
! Create a firewall policy permitting traffic from your local subnet to the VPC subnet and vice versa
! This example policy permits all traffic from the local subnet to the VPC.
!
!This is configured from the root VDOM


Go to Policy & Object tab --> Firewall Policy --> Create New

   a. Provide a Name for the Policy
   b. Incoming Interface/Zone = internal ! This is the interface out which your local LAN resides
   c. Source Address = all
   d. Outgoing Interface/Zone = "vpn-05303c885396bac29-0" ! This is the VPN tunnel interface
   e. Destination Address = all
   f. Schedule = always
   g. Service = ALL
   h. Action = ACCEPT
   i. Click OK

! NAT is enabled for the policy by default, you can disable it.

! Now create a policy to permit traffic going the other way

   a. Create New
   b. Provide a Name for the Policy
   c. Incoming Interface/Zone = "vpn-05303c885396bac29-0" ! This is the VPN tunnel interface
   d. Source Address = all
   e. Outgoing Interface/Zone = internal  ! This is the interface out which your local LAN resides
   f. Destination Address = all
   g. Schedule = always
   h. Service = ALL
   i. Action = ACCEPT
   j. Click OK


! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration

Go to  VPN --> IPSEC Tunnels --> Create New (drop down) --> Select IPSEC Tunnel

VPN Creation Wizard Window appears

Select Template Type as “Custom”

Provide a Name for the VPN connection (Name must be shorter than 15 chars, best if shorter than 12): vpn-05303c885396bac29-1

New VPN Tunnel Window Appears (Here we configure the VPN settings):

Under “Network” Section:
a. IP Version:     IPv4
b. Remote Gateway: Static IP Address
c. IP address: 192.168.100.1
d. Local Interface: wan1
e. Local Gateway: Select Specify and enter WAN port IP (Public IP)
f. Dead Peer Detection: Enable by selecting On Idle/ On Demand
g. Authentication Method: Pre-shared Key
h. Pre-Shared Key: u7i6k8jsKxLaPN2yukR6MZvCVH2kVRGj
i. IKE Version: 2
Phase 1 Proposal:
j.  Encryption: aes128
k. Authentication: sha1
l. DH group: 2     ! and deselect 5
m. Keylife: 28800 seconds

! NAT Traversal is enabled by default but if your FortiGate device is not behind a NAT/PAT device, please deselect NAT Traversal.

! --------------------------------------------------------------------------------
! #2: IPSec Configuration

Under Phase 2 Selectors --> New Phase 2
a.	Name:  vpn-05303c885396bac29-1
b.	Local Address: LAN subnet behind Fortigate/0.0.0.0/0
c.	Remote Address: AWS Private Subnet/0.0.0.0/0

Under Advanced
d.	Encryption: aes128
e.	Authentication: sha1
f.	Select Enable Replay Detection
g.	Select Perfect Forward Secrecy
h.	DH Group: 2 ! and deselect 5
i.	Keylife: 3600 seconds
j.	Enable Auto-negotiate   ! Autokey Keep Alive is enabled automatically when Auto-negotiate is enabled
k.	Click Ok

! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration

! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
!
! The address of the interface is configured with the setup for your
! Customer Gateway.  If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
! This is required in order for tunnel failover via gwdetect to function
!
! Perform this from the Global VDOM.

Go to Network Tab --> Interface --> wan1 and edit vpn-05303c885396bac29-1

a. IP : 169.254.96.78
b. Remote IP: 169.254.96.77/30
c. Select Ping
d. Administrative Status: Up
e. Select Ok.

!You can set MTU and MSS on the tunnel by performing this from the CLI:
 config global
 config system interface
  edit "vpn-05303c885396bac29-1" ! This name will be the same as the VPN tunnel name
    set mtu-override enable
    set mtu 1427
    set tcp-mss 1379
   next
end

! --------------------------------------------------------------------------------
! #4 Static Route Configuration
Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with the prefix 10.0.0.0/16 is provided below:
!
! This is configured from the root VDOM


Go to Network Tab --> Static Routes --> Create New

a. Destination: Subnet (10.0.0.0/16)
b. Interface: vpn-05303c885396bac29-1 ! This is the VPN tunnel interface
c. Click Ok

! Static routing does not allow for failover of traffic between tunnels. If there is a problem with one of the
! tunnels, we would want to failover the traffic to the second tunnel. This is done by using "gwdetect" in fortigate.
! The gwdetect command will ping the other end of the tunnel, and check if the tunnel is up. If the pings fail, it will
! remove the static route from the routing table, and the second route in the table will become active.
!
! This can be done only using the CLI.
!
! The following config will tell the Fortigate device, what IP it should ping to test the tunnel. This IP should be
! the inside IP address of the virtual private gateway.
! This is required in order for tunnel failover via gwtect to function. Additionally, this is required to keep the tunnel up, since
! traffic must be sent from your side of the VPN tunnel to prevent the tunnel from being taken down.

config vdom
    edit root
        config router gwdetect
        edit 2
        set interface "vpn-05303c885396bac29-1" ! This is the VPN tunnel interface
        set server "169.254.96.77"

! server IP is the AWS inside IP

! Using the following command, you can set the interval and failtime for gwdetect. Interval is number of seconds
! between pings. Failtime is the number of lost consecutive pings.Using the respective values of 2 and 5, your tunnel
! will failover in 10 seconds.

        set interval 2
        set failtime 5
    next
end

! --------------------------------------------------------------------------------
! #5: Firewall Policy Configuration
! Create a firewall policy permitting traffic from your local subnet to the VPC subnet and vice versa
! This example policy permits all traffic from the local subnet to the VPC.
!
!This is configured from the root VDOM


Go to Policy & Object tab --> Firewall Policy --> Create New

   a. Provide a Name for the Policy
   b. Incoming Interface/Zone = internal ! This is the interface out which your local LAN resides
   c. Source Address = all
   d. Outgoing Interface/Zone = "vpn-05303c885396bac29-1" ! This is the VPN tunnel interface
   e. Destination Address = all
   f. Schedule = always
   g. Service = ALL
   h. Action = ACCEPT
   i. Click OK

! NAT is enabled for the policy by default, you can disable it.

! Now create a policy to permit traffic going the other way

   a. Create New
   b. Provide a Name for the Policy
   c. Incoming Interface/Zone = "vpn-05303c885396bac29-1" ! This is the VPN tunnel interface
   d. Source Address = all
   e. Outgoing Interface/Zone = internal  ! This is the interface out which your local LAN resides
   f. Destination Address = all
   g. Schedule = always
   h. Service = ALL
   i. Action = ACCEPT
   j. Click OK




! Additional Notes and Questions
!  - Amazon Virtual Private Cloud Getting Started Guide:
!       http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
!  - Amazon Virtual Private Cloud Network Administrator Guide:
!       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide

 

Labels:
3002
0 Kudos
3 REPLIES 3
gfleming
Staff
Staff

Created on ‎12-16-2022 09:20 AM

Can you post output of:

 

show system interface vpn-05303c885396bac29-0

 

Cheers,
Graham
2989
0 Kudos
rg_586
New Contributor III
In response to gfleming

Created on ‎01-09-2023 06:01 AM Edited on ‎01-09-2023 06:02 AM

Hi @gfleming as requested

set vdom "Vdom1"

set ip 169.254.84.154 255.255.255.255

set allowaccess ping

set type tunnel

set tcp-mss 1379

set remote-ip 169.254.84.153 255.255.255.252

set snmp-index 56

set mtu-override enable

set mtu 1427

set interface "port10"

 

 

 

2887
0 Kudos
gfleming
Staff
Staff
In response to rg_586

Created on ‎01-09-2023 08:08 AM

Are you using 0.0.0.0/0 for your phase2 selector as per the downloaded config? Just making usre 169.254.X.X is definitely included in phase2 selectors.

 

Next I would look at doing a debug flow to see what the FW is doing.

 

diagnose debug enable
diagnose debug flow filter daddr 169.254.X.X (Remote tunnel IP)
diagnose debug flow trace start 1
execute ping 169.254.X.X (Remote tunnel IP)
Cheers,
Graham
2879
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.