By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Problem with site-to-site VPN, fortigate appliance

0

I have a frustrating VPN situation, where 90% of it works except the last hop. Overall situation:

Remote site: Fortigate VPN gateway, and VM EC2 site: Fortigate AMI, and VM

For EC2, the fortigate AMI and the test VM are on the same region (us-west2a), same VPC, same subnet

Does not work:

  • ping end-to-end VM to VM
  • AWS fortigate ping to AWS VM

DOES work:

  • Remote fortigate ping AWS fortigate
  • Remote VM ping AWS fortigate
  • AWS VM ping AWS fortigate
  • AWS secondary VM ping AWS VM

PACKET TRACES: pinging from AWS VM, to a remote site IP, does not show up in aws fortigate packet capture.

Because of the last bit, i would presume that i'm missing something at the AWS routing level. But.. I went to VPC, created a routing table, specifically associated it with the subnet the VM and fortigate are on, and added a route for the remote site's subnet thorugh the fortigate instance.

The VPC network acls are (allow all) as well.

So.. I'm lost. Can someone suggest anything else for me to check?

Topics
Networking & Content Delivery
Tags
Amazon VPC
Language
English
pbrown
asked 9 months ago248 views
1 Answer
0
Accepted Answer

Found the answer myself.

I was presuming that, since I deployed the fortigate AMI from the marketplace, it would (as implied by the entire "appliance in a box" paradigm) take care of EVERYTHING needed.

it did not. I had to edit the vm, and manually disable the "source/destination" checks. Ugh!

pbrown
answered 9 months ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content