This article describes the error encountered for FortiOS to AWS VPN after upgrading to version (7.4.2 and above) where the VPN anti-spoof feature was introduced.
Scope
FortiGate v7.4.2 and above
Solution
- If FortiGate is configured with multiple phase2 selectors, it will work fine with AWS VPN before v7.4.2.
- After v7.4.2 or above, there will be intermittent traffic issues between AWS and FortiGate through the VPN.
- The reason is that AWS will be sending the traffic through the phase2 selectors randomly whenever there are multiple phase2 selectors configured for the VPN tunnel.
- When the traffic not reaching from AWS to local, we can see the debug flow showing the error below:
id=65308 trace_id=20320 func=ipsec_spoofed4 line=245 msg="src ip 10.100.1.38 mismatch selector 0 range 169.254.189.57-169.254.189.57" id=65308 trace_id=20320 func=ipsec_input4 line=289 msg="anti-spoof check failed, drop"
- This shows that the traffic coming from AWS is matching a wrong phase2 selector and hence it failed the anti-spoof check.
- Further, by capturing the ESP packet and performing a decryption, AWS is sending the packet to the wrong SA hence when the packet arrives at FortiGate. It matches against the wrong selectors.
- To resolve this issue, we need to follow the configuration suggested by the AWS VPN configuration template. This template can be downloaded from AWS once configure the VPN.
- In the template, is state that for AWS VPN, configure only 1 phase2, which is 0.0.0.0/0. And if checking on AWS VPN settings, any option to configure multiple phase2 is visible.
- In conclusion, for AWS VPN, only single phase2 should be configured by following their recommended setting, quoted below:
! #2: IPSec Configuration Under Phase 2 Selectors --> New Phase 2 Name: vpn-xxxx Local Address: LAN subnet behind Fortigate/0.0.0.0/0 Remote Address: AWS Private Subnet/0.0.0.0/0