Helpful ReplyHot!AWS Ipsec Tunnels

Author
theboogy
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/22 10:04:36
  • Status: offline
2018/02/22 10:06:40 (permalink)
0

AWS Ipsec Tunnels

Hello! I would really appreciate your help regarding this issue that I am having with AWS IPSEC tunnels over a Fortigate.
 
Scenario:
 
Currently I have a working Fortigate (F60D) with 2 tunnels to AWS VPC to servers that resides at 192.168.0.0 on one internet provider (ISP1)
Now, I added second internet provider(ISP2) and a new Fortigate (F70D) with static IP that is connected to a gateway on a point to point line to get to the internet through ISP2.
I would like to COPY the already existing tunnels (from ISP1) onto the new Fortigate(ISP2) that I have (to be used in tandem or as backup), so I created a new virtual gateway on amazon (AWS) and attached the gateway with the routes.
The problem: The tunnels do show as "UP" on the fortigate (ISP2) but I cant reach the AWS servers.
I have triple checked the configuration given from AWS and how it is added on the fortigate and cant figure out what is wrong. Also checked the configurations on AWS VPC dashboard and everything seems ok there.

When debbugging the issue with packet sniffer
our fortigate on ISP2 sends alot of these:
Y.Y.Y.Y.4500 -> YY.YY.YY.YY.4500: udp
X.X.X.X.4500 -> XX.XX.XX.XX.4500: udp
With no incoming <-
 
When diagnosing the ike tunnel
 
ike 0:vpn-XXYYXX:40: sent IKE msg (R-U-THERE): Y.Y.Y.Y:4500->Y.Y.YY.Y:4500, len=92, id=7411eb41bcdcd6c6/c1c4a89301b83808:abaf846b
ike 0: comes Y.Y.Y.Y.4500 -> YY.YY.YY.YY.4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=7411eb41bcdcd6c6/c1c4a89301b83808:5895800a len=92
ike 0: in 7411EB41BCDCD6C6C1C4A89301B83808081005015895800A0000005C7E4DE7BC501E142CABAEB9DD700318D6499281D1C66BBDB7AE81DAB4A3B3B4CE0E47CA847929F027244B122CD4AC53B222DD67E58FE25C9A2A4A59ABDC19D261
ike 0:vpn-XXYYXX:40: dec 7411EB41BCDCD6C6C1C4A89301B83808081005015895800A0000005C0B0000184B2D55F5B934FA50B4369B01C1BB74D8F9E6B637000000200000000101108D287411EB41BCDCD6C6C1C4A89301B8380800006FE30000000000000000
ike 0:vpn-XXYYXX:40: notify msg received: R-U-THERE
ike 0:vpn-XXYYXX:40: enc 7411EB41BCDCD6C6C1C4A89301B83808081005010C1144E9000000540B000018ACA5F8B74A1CA2BF70D4CA5F3F450EA04969E887000000200000000101108D297411EB41BCDCD6C6C1C4A89301B8380800006FE3
ike 0:vpn-XXYYXX:40: out 7411EB41BCDCD6C6C1C4A89301B83808081005010C1144E90000005C21C13C13A3569F3812FBF1AA3AAE5FAC2251F917D90FCEA2A275A9FDD81A63EC8234F65D6634F18120080318A56BBA5F0D474C717E825046845F67FB2A156E5E
ike 0:vpn-XXYYXX:40: sent IKE msg (R-U-THERE-ACK): X.X.X.X.4500 -> XX.XX.XX.XX.4500:, len=92, id=7411eb41bcdcd6c6/c1c4a89301b83808:0c1144e9
ike 0: comes X.X.X.X.4500 -> XX.XX.XX.XX.4500:,ifindex=5....
ike 0: IKEv1 exchange=Informational id=7411eb41bcdcd6c6/c1c4a89301b83808:9af2b73d len=92
ike 0: in 7411EB41BCDCD6C6C1C4A89301B83808081005019AF2B73D0000005C2D64365E03A12A2979388AEB9C15B56C258BCD7FCF2B8FD5D1066F0C1B2306A649B17AB60E5BA7F59085EB0EA38D98B897065E5389DC190A201F5532AE2C20CB
ike 0:vpn-XXYYXX:40: dec 7411EB41BCDCD6C6C1C4A89301B83808081005019AF2B73D0000005C0B0000188E21C5E607CC160B529713DA99EDE30FFE838A55000000200000000101108D297411EB41BCDCD6C6C1C4A89301B83808000000540000000000000000
ike 0:vpn-XXYYXX:40: notify msg received: R-U-THERE-ACK

I would really appreciate if anyone could give me any insight into the above issues.
#1
emnoc
Expert Member
  • Total Posts : 5062
  • Scores: 307
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: AWS Ipsec Tunnels 2018/02/22 10:36:25 (permalink) ☄ Helpfulby M_K 2018/03/26 08:15:25
0
cli cmds are your friend
 
check for IKE SA
 
diag vpn ike gateway list
 
check for  Phase2 SA ( should be two uni-directional ones )
 
diag vpn tunnel list
 
Check for traffic flow
 
 
diag debug  flow
 
Do the above in the above order, if you have no IKE SAs,  diagnose why (  PSK mismatch , IKEversion# ,  proposal , left/right gateway incorrect )
 
If you have no  Phase2-SAs ( again proposals )
 
If you have no traffic matching any fwpolicy ( route(s),  fwpolicy(s),etc....)
 
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
http://socpuppet.blogspot.com/2014/02/dual-vpc-terminate-on-fortigate-firewall.html
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
Toshi Esumi
Expert Member
  • Total Posts : 1215
  • Scores: 82
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: AWS Ipsec Tunnels 2018/02/22 11:08:39 (permalink)
0
Your tunnel is up, and two way exachanges for DPD (R-U-THERE, R-U-THERE-ACK) in ike debugging.
Check traffic selectors and policies as emnoc said, and make sure necessary routes are there toward the tunnel on both ends. Then run flow debug as in emnoc's comment when you send packets toward the tunnel.
#3
theboogy
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/22 10:04:36
  • Status: offline
Re: AWS Ipsec Tunnels 2018/02/25 04:39:22 (permalink)
0
Hi,
Thanks for your reply :)
 
I've done above steps,
 
In diag debug flow I do not see anything
 
In Diag vpn tunnel list I see this:
 
name=vpn-XXXX-1 ver=1 serial=8 IP.IP.IP.IP:0->IP.IP.IP.IP:0 lgwy=static tun=intf mode=auto bound_if=5
proxyid_num=1 child_num=0 refcnt=6 ilast=3 olast=3
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=active on=1 idle=10000ms retry=3 count=0 seqno=12574
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=vpn-XXXX-1 proto=0 sa=1 ref=2 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=0000000e type=00 soft=0 mtu=1358 expire=957/0B replaywin=1024 seqno=1
life: type=01 bytes=0/0 timeout=3551/3600
dec: spi=3b37a701 esp=aes key=16 123456
ah=sha1 key=20 1234565
enc: spi=917ca6d6 esp=aes key=16 123456
ah=sha1 key=20 123456
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=IP.IP.IP.IP npu_lgwy=IP.IP.IP.IP npu_selid=7 dec_npuid=0 enc_npuid=0
 
 
and as I mentioned before I see these DPD messages R-U-There, R-U-There-ACK
 
Please advice me on this matter :-(
 
Thanks
#4
santhosh.balu
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/27 02:25:48
  • Status: offline
Re: AWS Ipsec Tunnels 2018/11/08 07:04:28 (permalink)
0
Hi ,
 
are both the tunnels are up in ISP 1 and ISP 2 .
Could you get this below output .
 
dia vpn tunnel list 
get router info routing-table database 
 
Regards
Santhosh
#5
Jump to:
© 2018 APG vNext Commercial Version 5.5