Establishing Secure IPSec VPN Connectivity Between AWS and FortiGate Firewall
.
Step-by-step guide to configure site-to-site IPSec VPN between AWS VPC and FortiGate firewall with IKEv2, routing, and security best practices.
The Architecture of Hybrid Cloud Trust
Bridging on-premises infrastructure with Amazon Web Services demands more than connectivity—it requires cryptographic assurance, precise routing, and architectural discipline. An IPSec site-to-site VPN between a FortiGate firewall and AWS VPC represents one of the most rigorously validated methods for achieving this hybrid equilibrium. This configuration does not merely tunnel packets; it establishes a verifiable chain of trust across administrative boundaries, governed by Internet Key Exchange protocols and policy-driven traffic enforcement.
Prerequisites: The Foundation of a Reliable Tunnel
Before initiating configuration, several conditions must be satisfied. The AWS environment requires a properly scoped VPC with defined subnets, route tables, and security group rules permitting IPSec traffic (UDP ports 500 and 4500, plus ESP protocol 50). The FortiGate appliance must possess a publicly routable external interface or reside behind a NAT device with UDP encapsulation enabled. Administrative access to both the AWS Management Console and FortiOS CLI or GUI is essential. Finally, network architects should predefine the local and remote CIDR blocks to be exchanged, ensuring no overlap and clear routing intent.
AWS-Side Configuration: Building the Gateway Framework
Customer and Virtual Private Gateway Setup
The AWS console serves as the initial configuration plane. Administrators begin by creating a Customer Gateway object, specifying the FortiGate's external IP address and selecting a routing protocol—static or dynamic (BGP). For static routing, IP prefixes representing on-premises networks are declared; for BGP, an autonomous system number (ASN) is assigned, typically within the private range (64512–65534).
Next, a Virtual Private Gateway is provisioned and attached to the target VPC. This component functions as the AWS termination point for IPSec tunnels. Once both gateways exist, a Site-to-Site VPN Connection is created, linking them and enabling tunnel endpoint generation. AWS automatically provisions two redundant tunnels, each with distinct public endpoints, inside tunnel IPs (169.254.0.0/16 range), and unique pre-shared keys.
Tunnel Parameter Selection
AWS permits granular control over IKE and IPSec parameters. Recommended settings include IKEv2 for reduced handshake overhead and improved mobility support. Phase 1 negotiations should employ AES-256-GCM for encryption, SHA-384 for integrity, and Diffie-Hellman Group 20 for key exchange, with a 28,800-second lifetime. Phase 2 proposals mirror these choices but with a shorter 3,600-second rekey interval and Perfect Forward Secrecy enabled. These values must be documented precisely, as mismatched parameters will prevent tunnel establishment.
FortiGate Configuration: Translating AWS Parameters into Policy
Tunnel Definition via IPsec Wizard or CLI
FortiOS offers two pathways for tunnel creation: the guided IPsec Wizard or direct CLI configuration. Using the downloaded AWS configuration file, administrators input the remote gateway IP (AWS tunnel endpoint), pre-shared key, and local/remote subnet selectors. For dynamic routing deployments, selectors are often set to 0.0.0.0/0, with traffic filtering delegated to firewall policies and BGP advertisements.
Phase 1 and Phase 2 proposals must exactly match AWS specifications. Critical fields include encryption algorithm, authentication hash, DH group, and key lifetimes. NAT traversal is disabled unless the FortiGate resides behind an intermediary NAT device, in which case UDP port 4500 encapsulation is required. Dead Peer Detection should remain enabled to facilitate automatic failover between redundant tunnels.
Interface and Routing Integration
Each AWS tunnel corresponds to a virtual interface on the FortiGate, assigned an inside IP from the 169.254.x.x/30 range provided by AWS. These interfaces require explicit administrative access settings (e.g., ping enabled for validation) and must be referenced in firewall policies. Static routing directs traffic destined for AWS VPC CIDRs through the appropriate tunnel interface. Alternatively, BGP configuration establishes neighbor relationships using the tunnel inside IPs, with local prefixes advertised via the network statement under the BGP process.
Policy Enforcement Without NAT
Firewall policies governing VPN traffic must explicitly disable NAT. Source and destination addresses reference address objects representing on-premises and AWS subnets, respectively. Policies are bidirectional: one permitting LAN-to-tunnel egress, another allowing tunnel-to-LAN ingress. Service objects can restrict allowed protocols, though initial validation often permits all services before hardening.
Dynamic Routing with BGP: Scaling Hybrid Connectivity
BGP Session Establishment
When using dynamic routing, BGP sessions terminate on the tunnel interfaces themselves. The FortiGate BGP process is configured with a local ASN and router ID, then neighbors are defined using the AWS tunnel inside IPs and the corresponding remote ASNs. Prefixes representing on-premises networks are advertised explicitly. AWS Transit Gateway route tables automatically ingest these advertisements, enabling seamless reachability across attached VPCs.
ECMP and Tunnel Redundancy
Equal-Cost Multi-Path routing allows simultaneous utilization of both IPSec tunnels, increasing aggregate throughput and providing instantaneous failover. Enabling ebgp-multipath on the FortiGate and selecting the "VPN ECMP support" option on the Transit Gateway ensures traffic distribution across both paths. Health monitoring via Dead Peer Detection and BGP keepalives maintains session integrity during network perturbations.
Validation and Operational Assurance
Tunnel and Route Verification
Post-configuration validation occurs across multiple planes. In FortiOS, the IPsec Tunnels dashboard displays phase state and traffic statistics. CLI commands such as diagnose vpn tunnel list and get router info bgp summary provide granular session details. AWS Console visibility includes tunnel state indicators, BGP route counts, and CloudWatch Logs for IKE negotiation events.
End-to-End Connectivity Testing
Functional verification employs ICMP echo requests and application-layer probes (e.g., HTTP via curl) between resources in on-premises and AWS subnets. Successful round-trip traffic confirms not only tunnel establishment but also correct routing, policy enforcement, and security group configuration. Persistent failures warrant inspection of phase parameters, route tables, and security group rules on both sides.
Frequently Asked Questions
What IKE and IPSec parameters are mandatory for AWS-FortiGate compatibility?
AWS supports a defined set of algorithms: AES-128/256-GCM or CBC for encryption; SHA-1, SHA-256, or SHA-384 for integrity; and DH groups 2, 14, 15, 16, 17, 18, 19, 20, or 21. IKEv2 is preferred. Mismatched proposals between peers will prevent tunnel negotiation.
How is traffic failover handled between redundant tunnels?
Dead Peer Detection monitors tunnel liveness. Upon detecting a failure, FortiOS automatically shifts traffic to the secondary tunnel. When BGP is employed, route withdrawal and re-advertisement provide an additional layer of path control. AWS also performs health checks and can suppress routes from unhealthy tunnels.
Can I use private IP addresses for the FortiGate external interface?
Yes, but only if the FortiGate resides behind a NAT device performing static port forwarding for UDP 500/4500 and ESP. In this scenario, NAT traversal must be enabled on both ends, and the Customer Gateway in AWS must reference the public NAT address, not the private FortiGate IP.
What distinguishes static from dynamic routing in this context?
Static routing requires manual declaration of remote prefixes on both AWS and FortiGate. Dynamic routing via BGP automates prefix exchange, simplifying management in multi-VPC or evolving network topologies. BGP also enables faster convergence during topology changes.
How are security groups and NACLs configured to permit VPN traffic?
AWS security groups attached to resources must allow inbound/outbound traffic from the on-premises CIDR. Additionally, the VPC's network ACLs must permit UDP ports 500 and 4500, and IP protocol 50 (ESP), for the tunnel endpoints. FortiGate firewall policies must explicitly allow traffic between LAN and tunnel interfaces without NAT.