By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to setup phase 2 selector to FortiGate

0

Hello, I have a windows print server that I host in an EC2 instance and have it connected to a FortiGate that is physically located on-site at our office. We currently have 2 vpn tunnels connected from it to AWS. For this example AWS1 and AWS2 are the tunnels. This print server can communicate with anything that is hardwired but we have our WIFI networks on a different subnet. Within FortiGate to add communication on the WIFI networks we configured the phase 2 selector but need to add that subnet in AWS somewhere. Does anyone have experience with making it so I can connect to this server when I am connected to WIFI on a different subnet rather than having to hardwire every single time I need it?

Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2Networking & Content DeliveryWindows
Language
English
Skyler
asked a year ago680 views
1 Answer
0
Accepted Answer

I think you're trying to add two CIDRs (The ethernet and the wireless subnets) as the interesting traffic.

I'll answer your question on how do add that in AWS side, but first AWS VPN is a route-based VPN, hence it does not support multiple security associations SA.

If you're using policy-based VPN and define several CIDRs then you'll run into multiple SA issues which will cause intermittent connectivity, refer to this knowledge article https://repost.aws/knowledge-center/vpn-connection-instability

Q: How many IPsec security associations can be established concurrently per tunnel? https://aws.amazon.com/vpn/faqs/

A: The AWS VPN service is a route-based solution, so when using a route-based configuration you will not run into SA limitations. If, however, you are using a policy-based solution you will need to limit to a single SA, as the service is a route-based solution.

profile pictureAWS
Matt_E
answered a year ago
profile pictureAWS
EXPERT
Tushar_J
reviewed a year ago
  • Skyler
    a year ago

    This is all great! The change I had to make was your very last bullet point. I had to do the following...

    • change the tunnel to have the local address set to 0.0.0.0/0 on both the FortiGate and AWS (ours is in a private vpc so no security issue there) -Add the subnets to the route table (somehow missed that) -Lastly had to add the static route on the site-to-site VPN connections tab as well. On the site-to-site VPN connections tab as well I had to select the connection > actions > Modify VPN tunnel options and then change that and all is working now!

    I appreciate the help here!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content