Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stylezz
New Contributor

Created on ‎06-22-2018 03:15 PM

IPSEC VPN from fortigate to AWS

Hello,

 

I'm trying to set up a site-to-site VPN with an AWS VPC from a fortigate 60D running FortiOS 5.4.

I've downloaded the VPN CLI config from AWS and entered it into the fortigate to setup the IPSEC, static routes and firewall policies.

The tunnel shows as UP on the fortigate and in AWS but when I try to ping (or RDP) an instance in the remote (AWS) subnet it fails.

I've tried with and without NAT but the result stays the same.

Traceroute doesnt get beyond the Fortigate gateway IP so I would guess there's still something in the firewall that's blocking it.

I do see the traceroute and pings hit the VPN firewall policy.

 

The config is pretty straightforward:

 

config vpn ipsec phase1-interface
edit vpn-021ef34682e48cc4f-0
  set interface "wan1"
  set dpd enable
  set local-gw 1.2.3.4
  set dhgrp 2
  set proposal aes128-sha1
  set keylife 28800
  set remote-gw 4.3.2.1
  set psksecret sekret
  set dpd-retryinterval 10
 next
end

config vpn ipsec phase2-interface
 edit "vpn-021ef34682e48cc4f-0"
  set phase1name "vpn-021ef34682e48cc4f-0"
  set proposal aes128-sha1
  set dhgrp 2
  set pfs enable
  set keylifeseconds 3600
 next
end

config global
config system interface
 edit "vpn-021ef34682e48cc4f-0"
  set vdom "root"
  set ip 169.254.41.58 255.255.255.255 
  set allowaccess ping 
  set type tunnel
  set tcp-mss 1379
  set remote-ip 169.254.41.57
  set interface "wan1"
 next
end

config router static
 edit 4
  set device "vpn-021ef34682e48cc4f-0"
  set dst 10.0.0.0 255.255.0.0
 next
end

config firewall policy
edit 5
set srcintf "vpn-021ef34682e48cc4f-0"
set dstintf "internal" 
 set srcaddr all
 set dstaddr all
set action accept
set schedule always
 set service ALL
next
end

config firewall policy
edit 6
set srcintf internal 
set dstintf "vpn-021ef34682e48cc4f-0"
 set srcaddr all
 set dstaddr all
set action accept
set schedule always
 set service ALL
next
end

 

Anyone that could point me in the right direction?

 

Thank you in advance.

14611
0 Kudos
4 REPLIES 4
emnoc
Esteemed Contributor III

Created on ‎06-22-2018 08:36 PM

Yes the cli-cmd  diag debug flow would be my 1st start. Run that diagnostic with the correct filters.

 

 

Validate phase2 is established

 

Validate any   security-group on AWS

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2239
0 Kudos
stylezz
New Contributor
In response to emnoc

Created on ‎06-23-2018 04:16 AM

I've run a diagnose which gives the following result

 

ike 0:S2S_DC_AWS:S2S_DC_AWS: IPsec SA connect 5 10.4.7.1->35.156.255.25:4500
ike 0:S2S_DC_AWS:S2S_DC_AWS: using existing connection
ike 0:S2S_DC_AWS:S2S_DC_AWS: config found
ike 0:S2S_DC_AWS:S2S_DC_AWS: IPsec SA connect 5 10.4.7.1->35.156.255.25:4500 negotiating
ike 0:S2S_DC_AWS:24: cookie 8865d6e563561b87/9c15610088390cba:a387a183
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: natt flags 0x17, encmode 1->3
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0->0:0.0.0.0/0.0.0.0:0:0
ike 0:S2S_DC_AWS:24: enc 8865D6E563561B879C15610088390CBA08102001A387A1830000012401000018177D01241899E408A44FC05745F78AA79489AE520A00003800000001000000010000002C01030401BE55961300000020010C00008001000180020E1080040003800600808005000280030002040000145E8BD6577C21B02B7D3ED5E50E5394300500008462EC2ED6FC78D2D47DFEA4085B5CA64195575A65A1F3F1E716F85FA9EBA5DE7FE7A8AC69670CD99DBAF2278C2D835D7C2ADFFB8196238DC660E85E28D650D98DF479FAD510577289C681B454931F5E83742D8C9F920912FAF1B62562E2EC99D8F3E319F0A4443DE1E3CB99036659D83057297886E20803A19E763C904349B10A0500001004000000000000000000000000000010040000000000000000000000
ike 0:S2S_DC_AWS:24: out 8865D6E563561B879C15610088390CBA08102001A387A1830000012C893359548B0C389A97A9D92110E77D4034C6F1F80139289AAEF7ED1687F1FCA6C6B5F13C9BCAF4AD09888A184A4B6BCA57964A34FA9B6E7CCA7E02D5F31BD6E66418B195A422CC1AF72725B871EC91AACF410B138429FE5ACA14C57F97715DF8C1B005134794EB57B706953F5280A292E19B471D8BC8E378191146692A587C94EE74545C2E05476DBF6F2D00593960857F2748E97F236DBA85688582ECEF70C2BE83E05096761F22677374B51E5232459E5F6A586465B4D5EE1A3D6002C5B675B7437FB102B722D597405C92BC7C9FDE99D485354DB307E811597E3E11DC6885D837FCBEAC5C2EBFC63B1F379B025776F77530A103389510E68B83A85558ABB06E9E1489C5C001E308FB20AC6CA4AEC1
ike 0:S2S_DC_AWS:24: sent IKE msg (quick_i1send): 10.4.7.1:4500->35.156.255.25:4500, len=300, id=8865d6e563561b87/9c15610088390cba:a387a183
ike 0: comes 35.156.255.25:4500->10.4.7.1:4500,ifindex=5....
ike 0: IKEv1 exchange=Quick id=8865d6e563561b87/9c15610088390cba:a387a183 len=300
ike 0: in 8865D6E563561B879C15610088390CBA08102001A387A1830000012CA6975C716C93D7480EF23CD515760517993E55DFA0E03C2FD0D7C005E7DC8D570EF83D01A1C50AE76F2706952D875A718009940DF448DBE3D953D29A16DFC2640A492B748FF084678C1C0E0134CDF93D8427BC333A048ADBED40C8771EB6006344EEB67ED8357EA6A5610F004D87485A437C6A3E47B9882F869D45DE45C068C6F399CFD16E6F958D9F83B418C8BB08739CCF4879BE2F2234928A8FEC58BCF7758C7F27E926CA1F2B8622755AFE6B57BC8CD34CDB3017641F76B32961CBACC1AEE4301282FA8ED88B091CCC5E285B8510662796D93DA512D427E17AB314667646E3B5EF299989842BA938525A80F1A053AADFF90B6E3A0F393D2E6AFD0B694F7C63FFE50F365ED9A40E4EC837749E1930
ike 0:S2S_DC_AWS:24: dec 8865D6E563561B879C15610088390CBA08102001A387A1830000012C0100001850907CE06823246C474F0E657567CC60A950BAC50A00003800000001000000010000002C01030401A9A8EA5100000020010C00008001000180020E10800400038006008080050002800300020400001446D4CB26EF2D11D5C35A7AAABEE43B6005000084846DA8E7DCCE6F1671951235300806FC37E3F6954DF4A26F713650BFAC6FDC6F185EDECA180BF356E87990D15091B6C576E9B5F346A15846E0E3F96B7D3DC0CD4FA226342893D896906B0353E6303FD7CFD16A081EDB9BD2B70204F4FAF9D607005ABB0E3C79401A91F8FB025D10FBF6CA54AEE57B5B3E8CAF3A9C628A3CC62105000010040000000000000000000000000000100400000000000000000000000000000000000000
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: responder selectors 0:0.0.0.0/0.0.0.0:0->0:0.0.0.0/0.0.0.0:0
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: my proposal:
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: proposal id = 1:
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: protocol id = IPSEC_ESP:
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: PFS DH group = 2
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: type = AUTH_ALG, val=SHA1
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: incoming proposal:
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: proposal id = 1:
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: protocol id = IPSEC_ESP:
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: PFS DH group = 2
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: trans_id = ESP_AES_CBC (key_len = 128)
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL_RFC3947
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: type = AUTH_ALG, val=SHA1
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: replay protection enabled
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: SA life soft seconds=3549.
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: SA life hard seconds=3600.
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: IPsec SA selectors #src=1 #dst=1
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: src 0 4 0:0.0.0.0/0.0.0.0:0
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: dst 0 4 0:0.0.0.0/0.0.0.0:0
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: add IPsec SA: SPIs=be559613/a9a8ea51
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: IPsec SA dec spi be559613 key 16:6490B8B66C9DDAB0E3626D4B4119A353 auth 20:6E516E3BF45633F3FBED12A25C67963F547F0061
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: IPsec SA enc spi a9a8ea51 key 16:523740CB413F18704C62F22EA3C437A2 auth 20:ADF01B8F781A2EFCFEA59CE8333EA551BFFBCF69
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: added IPsec SA: SPIs=be559613/a9a8ea51
ike 0:S2S_DC_AWS:24:S2S_DC_AWS:9808: sending SNMP tunnel UP trap
ike 0:S2S_DC_AWS:24: enc 8865D6E563561B879C15610088390CBA08102001A387A183000000340000001884644D4C89095D0736339575CF612E4052B7BDC5
ike 0:S2S_DC_AWS:24: out 8865D6E563561B879C15610088390CBA08102001A387A1830000003C662085FFEE752D9DB4F37A8351D2B32130CA4DA1B68956AE53C0E5E2374F846D
ike 0:S2S_DC_AWS:24: sent IKE msg (quick_i2send): 10.4.7.1:4500->35.156.255.25:4500, len=60, id=8865d6e563561b87/9c15610088390cba:a387a183
ike shrank heap by 122880 bytes
ike 0: comes 35.156.255.25:4500->10.4.7.1:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=8865d6e563561b87/9c15610088390cba:88a456c8 len=92
ike 0: in 8865D6E563561B879C15610088390CBA0810050188A456C80000005C12B6DE950CD670F2F72EEB8A904B6894143D03301884085494D410E9D90002AD7BEF5490461A57185D6EC464703DA0B2956ED0C131E55845325116549C1DE1CD
ike 0:S2S_DC_AWS:24: dec 8865D6E563561B879C15610088390CBA0810050188A456C80000005C0B000018954891BDE038EC0863F8F42EBE2B19016394007D000000200000000101108D288865D6E563561B879C15610088390CBA00005F840000000000000000
ike 0:S2S_DC_AWS:24: notify msg received: R-U-THERE
ike 0:S2S_DC_AWS:24: enc 8865D6E563561B879C15610088390CBA08100501C1FBFEC9000000540B0000185232C6747836B25BC01C5DFDEE7988168D4BD448000000200000000101108D298865D6E563561B879C15610088390CBA00005F84
ike 0:S2S_DC_AWS:24: out 8865D6E563561B879C15610088390CBA08100501C1FBFEC90000005CD9FE5995873574DF4C9FAF290926922D7C6F0D625616AAF36A633F6534D072BCA4B975185F7D1EE881AD58DAADEF3609644A70C62E733AB9C9BA920C8755A53F
ike 0:S2S_DC_AWS:24: sent IKE msg (R-U-THERE-ACK): 10.4.7.1:4500->35.156.255.25:4500, len=92, id=8865d6e563561b87/9c15610088390cba:c1fbfec9
ike 0: comes 35.156.255.25:4500->10.4.7.1:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=8865d6e563561b87/9c15610088390cba:4569a13b len=92
ike 0: in 8865D6E563561B879C15610088390CBA081005014569A13B0000005C31BD73FD5F149216F2C2E5E333605A824FE2682F52C007A599BCF08B76F3882358EC8A4F8CA29181A90CEB7B3CAC5E04317ED734D5889E336681B4E667E93C20
ike 0:S2S_DC_AWS:24: dec 8865D6E563561B879C15610088390CBA081005014569A13B0000005C0B0000189FFE40E3448EEDFA623E1191D496257BCED93818000000200000000101108D288865D6E563561B879C15610088390CBA00005F850000000000000000
ike 0:S2S_DC_AWS:24: notify msg received: R-U-THERE
ike 0:S2S_DC_AWS:24: enc 8865D6E563561B879C15610088390CBA08100501529B48E3000000540B000018DC66BDB007053ADDDC64E07FCAB017A531076D0F000000200000000101108D298865D6E563561B879C15610088390CBA00005F85
ike 0:S2S_DC_AWS:24: out 8865D6E563561B879C15610088390CBA08100501529B48E30000005C32A259E12AD05FAFC03087B465B51DA9EA647F46B04C68623D7C354B431FE08F30A7D1C937B36D535C12AB85E2731ED47150A5045BFB7FE02A3B2FD5AA8BB5D1
ike 0:S2S_DC_AWS:24: sent IKE msg (R-U-THERE-ACK): 10.4.7.1:4500->35.156.255.25:4500, len=92, id=8865d6e563561b87/9c15610088390cba:529b48e3
ike 0: comes 35.156.255.25:4500->10.4.7.1:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=8865d6e563561b87/9c15610088390cba:09be9cf6 len=92
ike 0: in 8865D6E563561B879C15610088390CBA0810050109BE9CF60000005CD1892E4C87E6D0F5370B5ADF3E4231187DE01697EDF8056FA6B144B34C061641B8809284C0C2BF3F81FE3FCF8E7DEBD0BB09DB28DD56D1D67ADB3BCFC8EB14F2
ike 0:S2S_DC_AWS:24: dec 8865D6E563561B879C15610088390CBA0810050109BE9CF60000005C0B000018BD494E777A0945C3B92D9CD536D35A60A8107083000000200000000101108D288865D6E563561B879C15610088390CBA00005F860000000000000000
ike 0:S2S_DC_AWS:24: notify msg received: R-U-THERE
ike 0:S2S_DC_AWS:24: enc 8865D6E563561B879C15610088390CBA081005018C5A8BE4000000540B0000188595E9AFF2C0EFE8CDC1F0188514F73A2C2BB06D000000200000000101108D298865D6E563561B879C15610088390CBA00005F86
ike 0:S2S_DC_AWS:24: out 8865D6E563561B879C15610088390CBA081005018C5A8BE40000005C3FE8F9B6B6D8756BE66DBA7606C5F46A6386DAD43B83AB05F24900AD1931B80C59AA937AF84AF5FF25AAD4F1CFA49D5351E42AA3CFD0CF94178ABACF7738B544
ike 0:S2S_DC_AWS:24: sent IKE msg (R-U-THERE-ACK): 10.4.7.1:4500->35.156.255.25:4500, len=92, id=8865d6e563561b87/9c15610088390cba:8c5a8be4
ike 0: comes 35.156.255.25:4500->10.4.7.1:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=8865d6e563561b87/9c15610088390cba:f9096347 len=92
ike 0: in 8865D6E563561B879C15610088390CBA08100501F90963470000005CB388B15E248CBBB2F18F9D3050C81B9E7466B2FAF3822688DA7BCE27201170096DE038B6B502CA2C339C102810B4D9DD91BBE173E665C3499BF8286E03370F9F
ike 0:S2S_DC_AWS:24: dec 8865D6E563561B879C15610088390CBA08100501F90963470000005C0B00001890024EA2D0F600254F2556BBB5A1DFACF0B1111C000000200000000101108D288865D6E563561B879C15610088390CBA00005F870000000000000000
ike 0:S2S_DC_AWS:24: notify msg received: R-U-THERE
ike 0:S2S_DC_AWS:24: enc 8865D6E563561B879C15610088390CBA081005010FC0E355000000540B000018CA5F7C797E1546F16AD2187CA7B50CEA0D5B3C9D000000200000000101108D298865D6E563561B879C15610088390CBA00005F87
ike 0:S2S_DC_AWS:24: out 8865D6E563561B879C15610088390CBA081005010FC0E3550000005CED6C2151096581EAABF5E6F2F216E9E92BAAE24066BD9A76A6DCDF33F4FDFB73E1DC1369877C75FF75FB5A20C7C6A691525279D3E43B72E80F1D9EF7E63A2D24
ike 0:S2S_DC_AWS:24: sent IKE msg (R-U-THERE-ACK): 10.4.7.1:4500->35.156.255.25:4500, len=92, id=8865d6e563561b87/9c15610088390cba:0fc0e355
diag debug disaike 0: comes 35.156.255.25:4500->10.4.7.1:4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=8865d6e563561b87/9c15610088390cba:a6814c3b len=92
ike 0: in 8865D6E563561B879C15610088390CBA08100501A6814C3B0000005C9E03C01101BF6631633FD1C96EAC111763968BA7F83BD8EFE5743BC224F9A0EE21914291D13314A19156178CD52E4F90AAE1690A786744343830D41124139370
ike 0:S2S_DC_AWS:24: dec 8865D6E563561B879C15610088390CBA08100501A6814C3B0000005C0B0000181FFDD55A236CE6FA5C330965E857BC0A07C50412000000200000000101108D288865D6E563561B879C15610088390CBA00005F880000000000000000
ike 0:S2S_DC_AWS:24: notify msg received: R-U-THERE
ike 0:S2S_DC_AWS:24: enc 8865D6E563561B879C15610088390CBA081005013A707C35000000540B000018D3682F6E2D0EDB02714D7F2C8047D9A0ECEDBA2E000000200000000101108D298865D6E563561B879C15610088390CBA00005F88
ike 0:S2S_DC_AWS:24: out 8865D6E563561B879C15610088390CBA081005013A707C350000005C45CD2D97B56CDCAD89828E3A2D65464A68C7896D40BC0BEA3412E3B6C3847D42F00A48A0476F72C8563EEDF27FD3FE22F8EC0CB26CEF9A2170C8AC410BD49F24
ike 0:S2S_DC_AWS:24: sent IKE msg (R-U-THERE-ACK): 10.4.7.1:4500->35.156.255.25:4500, len=92, id=8865d6e563561b87/9c15610088390cba:3a707c35
ble

FGT60D4614074516 #

 

I dont see anything wrong in there, to me it looks like phase 1 and phase 2 are coming up without problems.

I've checked the security groups on AWS as well as the routing tables but they all are set up properly.

 

Anything else I can check?

2239
0 Kudos
stylezz
New Contributor

Created on ‎06-23-2018 06:40 AM

I found the problem, AWS needs the routes to the remote address AND their internal CIDR IP's in the route table associated with the VPC.

 

You can do this in the VPC dashboard > Route Tables > [Route table attached to your VPC] > Routes tab

Here you can add the required routes with your Virtual Private Gateway as target.

 

On a sidenote, you can also enable route propagation at VPC dashboard > Route Tables > [Route table attached to your VPC] > Route Propagation Tab and enable route propagation to try and let AWS propagate the route table for you from your defined static routes.

 

2239
0 Kudos
emnoc
Esteemed Contributor III
In response to stylezz

Created on ‎06-23-2018 09:33 AM

good glad it all worked out for you

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2239
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.