FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes a scenario where tunnel was up however unable to login FortiGate deployed in AWS and access resources.
Solution - Check if the subnets are included in the same VPC. - Verify the security policy in AWS. - Verify the firewall policy between Local network to IPSEC tunnel. - Ensure the static route created for the specific remote subnet instead of 0.0.0.0.
Example of debug observed for traffic leaving the IPSEC tunnel on FortiGate:
AWS_Firewall # id=20085 trace_id=9 func=print_pkt_detail line=5693 msg="vd-root: 0 received a packet(proto=1, 172.37.10.90:1536->192.168.0.1:2048) from local. ty pe=8, code=0, id=1536, seq=0." id=20085 trace_id=9 func=init_ip_session_common line=5864 msg="allocate a new se ssion-0000143e" id=20085 trace_id=9 func=ipd_post_route_handler line=490 msg="out AWS-to-IHQ vwl _zone_id 0, state2 0x0, quality 0." id=20085 trace_id=9 func=ipsecdev_hard_start_xmit line=789 msg="enter IPsec interface-AW S-to-IHQ" id=20085 trace_id=9 func=_ipsecdev_hard_start_xmit line=666 msg="IPsec tunnel-AW S-to-IHQ" id=20085 trace_id=9 func=esp_output4 line=898 msg="IPsec encrypt/auth" id=20085 trace_id=9 func=ipsec_output_finish line=617 msg="send to 172.37.0.1 vi a intf-port1"
