By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Site2Site VPN with Fortigate no return traffic from EC2

0

Hi

I am preparing a simple PoC of AWS site-to-site VPN connected to the private site behind the Fortigate UTM, using static routing. It should be a simple setup, I followed the step-by-step guides multiple times, and just could not make it work. I think I created every element of the setup by the book, route table per VPC subnet with remote subnet pointing towards the virtual private gateway. I cannot get the reply for ping from TestVM to EC2 nor get the ping request to go through from EC2 to TestVM.

Scenario: EC2 --- AWS VPC (private subnet) -- VPG ---- Site2Site tunnel----(Internet) ---- Fortigate --- TestVM

  • IPSec Tunnel is established okay, reported up on both sides.
  • I can see ping traffic going out on Fortigate packet sniffer going from TestVM into the IPsec interface
  • using tcpdump on EC2 I can see ping traffic reaching the instance, I can see the instance is sending a reply to TestVM
  • but the reply never reaches the Fortigate packet sniffer, the reply packets just disappear somewhere
  • flow logs on AWS subnets show packets are accepted both ways

Do you know what may be wrong with the AWS Site2Site return route?

some issues I can observe in the AWS console, but I am not sure if it is the cause or the effect of the problem:

  • enabling route propagation on the route table does nothing, no route is being propagated to the VPC subnet route table by VPG., I have to manually add a route in the route table
  • there is a "static route" in Site-to-Site VPN connection properties, it is always empty. I tried to add the required prefix manually and got the green confirmation message it was added successfully, but it is not visible in the "static route" anyway.

Thanks for reading

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)
Language
English
mb
asked 6 months ago496 views
2 Answers
0
Accepted Answer

Sounds like you do not have a route back to your private On Prem network

In the VPC/Subnet route table(s), you have to add the VPGW and enable propergation for routes to appear from the VPN. On the S2S VPN route table ensure your On prem CIDR Range is defined here. The route will be propergated into the route table

What do you have setup in Local IPv4 network CIDR and Remote IPv4 network CIDR on the Site to Site VPN?

profile picture
EXPERT
Gary Mclean
answered 6 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 6 months ago
  • Gary Mclean EXPERT
    6 months ago

    When you say prefix, you mean the CIDR Range? ALso on the S2S config you can define local and remote IPV4 to control what networks have access.. Are these set to 0.0.0.0/0 or something else?

  • Gary Mclean EXPERT
    6 months ago

    Can you let me know you CIDRs. i.e. Replace your real CIDR range with something like 1.1.1.1/24 for AWS and 2.2.2.2/16 for On prem etc

  • mb
    6 months ago

    thanks for answer!

    • Propagation enabled, but it is not adding route to route tables, I have no idea why
    • I added onprem CIDR range to subnet routing table manually with VPG as a target
    • the "static route" tab on Site-to-Site VPN connection is empty, I can edit and add prefix manually but it is not visible, even though the message says it was added sucessfully. Is this the setting you are writing about?
  • mb
    6 months ago

    AWS VPC: 192.168.192.0/24, subnet 192.168.192.0/28, EC2 192.168.192.8, onprem internal net 10.0.4.64/26, TestVM 10.0.4.69, external Fortigate WAN interface 10.0.4.4 /26 (Fortigate is behind static external IP NAT)

  • Gary Mclean EXPERT
    6 months ago

    On the S2S setup, do you have the Routing set to Static or Dynamic? This may be why your static route disapears

0

I tried two approaches:

  1. Local 0.0.0.0/0 Remote 0.0.0.0/0
  2. Local 10.0.4.64/26 Remote: 172.29.0.0/24 The effect was the same using both setups.

But, I got it solved thanks to you! Your previous comments got me thinking, as you said, the main problem was the S2S VPN route missing the on-prem CIDR range. I could not add it through GUI (I was adding it but somehow it did not appear), so I added it using CLI:

** aws ec2 create-vpn-connection-route --vpn-connection-id vpn-xxxxxx --destination-cidr-block 10.0.4.64/26 **

..and it worked!!!! Unbelievable, some stupid AWS GUI bug cost me a few days of pointless troubleshooting because I assumed that AWS web GUI was a reliable tool. Thank you for your help Gary, I would not find it without you.

mb
answered 6 months ago
  • Gary Mclean EXPERT
    6 months ago

    That is very strange, I have never seen that before happen. Im glad you have it running now.. Good Stuff.. Thanks for the letting me know..

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content