- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Site to Site VPN to AWS VPC
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site to Site VPN to AWS VPC
I have a site to site VPN setup from Fortigate 200D too AWS VPC. The tunnels are up and active but I cannot seem to get the routing correct.
We are wanting all non-local traffic to go through the VPN tunnel to AWS. No matter what change I make traffice goes out the wan!. I stand corrected if I edit the static default route to use the VPN interface instead of the WAN ports the tunnels go down.
next
edit "AWS VPN"
set vdom "VDOM-A"
set ip 169.254.47.154 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.47.153
set snmp-index 19
set interface "port1"
next
edit "AWS VPN 2"
set vdom "VDOM-A"
set ip 169.254.45.246 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.45.245
set snmp-index 20
set interface "port1"
next
My Tunnels are setup as follow
config vpn ipsec phase1-interface
edit "AWS VPN"
set interface "port1"
set keylife 28800
set peertype any
set proposal aes128-sha1
set dhgrp 2
set remote-gw 3.85.156.247
set psksecret ENC PJpv/i53ceAXe8BOYrILtfAH6YVwgswMbckKMF/h7QnySTOBFi0dE0TSmZXZM03PG/tKjvFiPKRcwDJprN7SAvpmXWMbRw6ct0kvYISQ/dB3MANTpCnM0tU7k+y1WqsxRoYT5ytMHKVQN4zPgl81PdApw3lLCBs3JTtiUXQveRBMHgZHsy3A29l6VaZA8KnJfg+tYw==
next
edit "AWS VPN 2"
set interface "port1"
set keylife 28800
set peertype any
set proposal aes128-sha1
set dhgrp 2
set nattraversal disable
set remote-gw 34.204.21.180
set psksecret ENC 9u9RClwiMZOKCxraZHByC00S8HqmmxVhpspElSwGahDAWa9x7LwA4vcF0lOiYA/ClXoK6on9WlOHX19nqTQwbnnOdHcZd/0dVSu50F2dv8T1VXcrEgYDpE8cciOJThDU9UrgpjWbt9ImUohC2qNfpHmyk/sztTpagRQ+JCzWSOe5nreayJOPHaYsnTbIq+4DcxxaQA==
next
config vpn ipsec phase2-interface
edit "AWS VPN"
set phase1name "AWS VPN"
set proposal aes128-sha1
set dhgrp 2
set keepalive enable
set keylifeseconds 3600
set src-subnet 10.41.5.0 255.255.255.0
set dst-subnet 10.99.10.0 255.255.255.0
next
edit "AWS VPN 2"
set phase1name "AWS VPN 2"
set proposal aes128-sha1
set dhgrp 2
set keepalive enable
set keylifeseconds 3600
set src-subnet 10.41.5.0 255.255.255.0
set dst-subnet 10.99.10.0 255.255.255.0
next
end
config system link-monitor
edit "AWS1VPNFO"
set srcintf "AWS VPN"
set server "169.254.47.153"
set interval 2
next
edit "AWS2VPNFO"
set srcintf "AWS VPN 2"
set server "169.254.45.245"
set interval 2
next
end
static routes
next
edit 6
set dst 10.99.0.0 255.255.0.0
set priority 1
set device "AWS VPN"
next
edit 7
set dst 10.99.0.0 255.255.0.0
set priority 1
set device "AWS VPN 2"
next
end
config router policy
edit 1
set input-device "port2"
set src "10.41.5.0/255.255.255.0"
set dst "0.0.0.0/0.0.0.0"
set output-device "AWS VPN"
next
edit 2
set input-device "port2"
set src "10.41.5.0/255.255.255.0"
set dst "0.0.0.0/0.0.0.0"
set output-device "AWS VPN 2"
next
end
The policy routes are completely ignore for some reason and everything reverts back to the default static route.
Any help would be much appreciated.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know anything specific about AWS VPCs. But to route all traffic, generally internet-bound, into a tunnel, you need to have a default route into the tunnel. Not a policy route. You need to set a specific static route, generally a /32 route, toward wan1 for VPN peer so that the VPN still comes up.
Since you have two VPNs, depending on how you want to utilize two connections, primary-backup, load-balance, etc., you might want to use either different distance, equal distance w/ different priority, or load-balance for those two static default routes.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know anything specific about AWS VPCs. But to route all traffic, generally internet-bound, into a tunnel, you need to have a default route into the tunnel. Not a policy route. You need to set a specific static route, generally a /32 route, toward wan1 for VPN peer so that the VPN still comes up.
Since you have two VPNs, depending on how you want to utilize two connections, primary-backup, load-balance, etc., you might want to use either different distance, equal distance w/ different priority, or load-balance for those two static default routes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, in CLI they would look like below. The destination 0.0.0.0/0 is the default "dst" value so you wouldn't see it. Also the default distance is 10 and default priority is 0 (highest), which you don't see either. So if you want to change one of them to have a lower priority, you can configure like below. If you use priority insterad of distance, both default routes show in the routing table, as long as the tunnels are up, but outgoing sessions always use the priority 0 side, but still can receive packets and create incomeing sessions on the priority 10 side. You can play around this to understand the behaviors with those metrics.
Just don't forget to set another set of /32 routes to port1 to keep tunnels up.
config router static
edit x
set device "AWS VPN"
next
edit y
set device "AWS VPN2"
set priority 10
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I add the routes my tunnel goes down. I then added back the default gateway through the WAN and tunnel is up but all traffic goes through the WAN. I played with the ADmin distance but no luck. I started from scratch and have attached my config Tunnel is called AWS. This time I am only working with one tunnel. Not sure what I am missing Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's because you ignored my warning "adding /32 static routes" for the tunnels.
In your config with one tunnel, you needed to have below:
config router static
edit 0
set dst 3.214.248.182 255.255.255.255
set gateway 210.4.106.129
set device port1
next
end
Since a specific route wins over less specific ones (default routes), the tunnel would establish based on this route.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, you might want to check NAT configuration. You will need to deny NAT from the firewall policy.
Related Posts
- How to upgrade WAN bandwidth 52 Views
- IPSec tunnel error : no SA... 129 Views
- Does anyone know a tool/site to... 90 Views
- When connecting VPN from FortiClient getting... 157 Views
- Site to Site VPN to 2... 181 Views
Labels
-
FortiGate
6,523 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.