Helpful ReplyHot!AWS Ipsec Tunnels

New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/22 10:04:36
  • Status: offline
2018/02/22 10:06:40 (permalink)

AWS Ipsec Tunnels

Hello! I would really appreciate your help regarding this issue that I am having with AWS IPSEC tunnels over a Fortigate.
Currently I have a working Fortigate (F60D) with 2 tunnels to AWS VPC to servers that resides at on one internet provider (ISP1)
Now, I added second internet provider(ISP2) and a new Fortigate (F70D) with static IP that is connected to a gateway on a point to point line to get to the internet through ISP2.
I would like to COPY the already existing tunnels (from ISP1) onto the new Fortigate(ISP2) that I have (to be used in tandem or as backup), so I created a new virtual gateway on amazon (AWS) and attached the gateway with the routes.
The problem: The tunnels do show as "UP" on the fortigate (ISP2) but I cant reach the AWS servers.
I have triple checked the configuration given from AWS and how it is added on the fortigate and cant figure out what is wrong. Also checked the configurations on AWS VPC dashboard and everything seems ok there.

When debbugging the issue with packet sniffer
our fortigate on ISP2 sends alot of these:
Y.Y.Y.Y.4500 -> YY.YY.YY.YY.4500: udp
X.X.X.X.4500 -> XX.XX.XX.XX.4500: udp
With no incoming <-
When diagnosing the ike tunnel
ike 0:vpn-XXYYXX:40: sent IKE msg (R-U-THERE): Y.Y.Y.Y:4500->Y.Y.YY.Y:4500, len=92, id=7411eb41bcdcd6c6/c1c4a89301b83808:abaf846b
ike 0: comes Y.Y.Y.Y.4500 -> YY.YY.YY.YY.4500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=7411eb41bcdcd6c6/c1c4a89301b83808:5895800a len=92
ike 0: in 7411EB41BCDCD6C6C1C4A89301B83808081005015895800A0000005C7E4DE7BC501E142CABAEB9DD700318D6499281D1C66BBDB7AE81DAB4A3B3B4CE0E47CA847929F027244B122CD4AC53B222DD67E58FE25C9A2A4A59ABDC19D261
ike 0:vpn-XXYYXX:40: dec 7411EB41BCDCD6C6C1C4A89301B83808081005015895800A0000005C0B0000184B2D55F5B934FA50B4369B01C1BB74D8F9E6B637000000200000000101108D287411EB41BCDCD6C6C1C4A89301B8380800006FE30000000000000000
ike 0:vpn-XXYYXX:40: notify msg received: R-U-THERE
ike 0:vpn-XXYYXX:40: enc 7411EB41BCDCD6C6C1C4A89301B83808081005010C1144E9000000540B000018ACA5F8B74A1CA2BF70D4CA5F3F450EA04969E887000000200000000101108D297411EB41BCDCD6C6C1C4A89301B8380800006FE3
ike 0:vpn-XXYYXX:40: out 7411EB41BCDCD6C6C1C4A89301B83808081005010C1144E90000005C21C13C13A3569F3812FBF1AA3AAE5FAC2251F917D90FCEA2A275A9FDD81A63EC8234F65D6634F18120080318A56BBA5F0D474C717E825046845F67FB2A156E5E
ike 0:vpn-XXYYXX:40: sent IKE msg (R-U-THERE-ACK): X.X.X.X.4500 -> XX.XX.XX.XX.4500:, len=92, id=7411eb41bcdcd6c6/c1c4a89301b83808:0c1144e9
ike 0: comes X.X.X.X.4500 -> XX.XX.XX.XX.4500:,ifindex=5....
ike 0: IKEv1 exchange=Informational id=7411eb41bcdcd6c6/c1c4a89301b83808:9af2b73d len=92
ike 0: in 7411EB41BCDCD6C6C1C4A89301B83808081005019AF2B73D0000005C2D64365E03A12A2979388AEB9C15B56C258BCD7FCF2B8FD5D1066F0C1B2306A649B17AB60E5BA7F59085EB0EA38D98B897065E5389DC190A201F5532AE2C20CB
ike 0:vpn-XXYYXX:40: dec 7411EB41BCDCD6C6C1C4A89301B83808081005019AF2B73D0000005C0B0000188E21C5E607CC160B529713DA99EDE30FFE838A55000000200000000101108D297411EB41BCDCD6C6C1C4A89301B83808000000540000000000000000
ike 0:vpn-XXYYXX:40: notify msg received: R-U-THERE-ACK

I would really appreciate if anyone could give me any insight into the above issues.
Expert Member
  • Total Posts : 5159
  • Scores: 333
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: AWS Ipsec Tunnels 2018/02/22 10:36:25 (permalink) ☄ Helpfulby M_K 2018/03/26 08:15:25
cli cmds are your friend
check for IKE SA
diag vpn ike gateway list
check for  Phase2 SA ( should be two uni-directional ones )
diag vpn tunnel list
Check for traffic flow
diag debug  flow
Do the above in the above order, if you have no IKE SAs,  diagnose why (  PSK mismatch , IKEversion# ,  proposal , left/right gateway incorrect )
If you have no  Phase2-SAs ( again proposals )
If you have no traffic matching any fwpolicy ( route(s),  fwpolicy(s),etc....)

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
Toshi Esumi
Expert Member
  • Total Posts : 1537
  • Scores: 131
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: AWS Ipsec Tunnels 2018/02/22 11:08:39 (permalink)
Your tunnel is up, and two way exachanges for DPD (R-U-THERE, R-U-THERE-ACK) in ike debugging.
Check traffic selectors and policies as emnoc said, and make sure necessary routes are there toward the tunnel on both ends. Then run flow debug as in emnoc's comment when you send packets toward the tunnel.
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/22 10:04:36
  • Status: offline
Re: AWS Ipsec Tunnels 2018/02/25 04:39:22 (permalink)
Thanks for your reply :)
I've done above steps,
In diag debug flow I do not see anything
In Diag vpn tunnel list I see this:
name=vpn-XXXX-1 ver=1 serial=8 IP.IP.IP.IP:0->IP.IP.IP.IP:0 lgwy=static tun=intf mode=auto bound_if=5
proxyid_num=1 child_num=0 refcnt=6 ilast=3 olast=3
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=active on=1 idle=10000ms retry=3 count=0 seqno=12574
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=vpn-XXXX-1 proto=0 sa=1 ref=2 serial=1
src: 0:
dst: 0:
SA: ref=3 options=0000000e type=00 soft=0 mtu=1358 expire=957/0B replaywin=1024 seqno=1
life: type=01 bytes=0/0 timeout=3551/3600
dec: spi=3b37a701 esp=aes key=16 123456
ah=sha1 key=20 1234565
enc: spi=917ca6d6 esp=aes key=16 123456
ah=sha1 key=20 123456
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=IP.IP.IP.IP npu_lgwy=IP.IP.IP.IP npu_selid=7 dec_npuid=0 enc_npuid=0
and as I mentioned before I see these DPD messages R-U-There, R-U-There-ACK
Please advice me on this matter :-(
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/27 02:25:48
  • Status: offline
Re: AWS Ipsec Tunnels 2018/11/08 07:04:28 (permalink)
Hi ,
are both the tunnels are up in ISP 1 and ISP 2 .
Could you get this below output .
dia vpn tunnel list 
get router info routing-table database 
Jump to:
© 2019 APG vNext Commercial Version 5.5