Site-to-Site IPsec VPN Between a FortiGate and a Cisco ASA

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, we will configure a site-to-site IPsec VPN tunnel between a FortiGate 90D and a Cisco ASA 5505.

Using FortiOS 5.2 and Cisco ASDM 7.1, the example demonstrates how to configure the tunnel on each site, assuming that both devices are configured with appropriate internal (inside) and external (outside) interfaces.

Note that this example uses the default encryption and authentication (SA proposal) settings of the Cisco ASDM IPsec VPN wizard. These are not necessarily the recommended settings.

We will use the wizards to configure each end of the tunnel as it is much quicker. However, some customization will be required on the FortiGate to ensure that its SA proposal matches the Cisco ASA for each Phase. One of the most common reasons that tunnels between FortiGates and third-party products don’t work is because of mismatched settings.

1. Configuring the Cisco ASA using the IPsec VPN Wizard

In the Cisco ASDM, under the Wizard menu, select IPsec VPN Wizard.

Select Site-to-site, with VPN Tunnel Interface set to outside, and click Next.

In the Peer IP Address field, enter the IP address of the FortiGate unit.

Under Authentication Method, enter a secure Pre-Shared Key. You will use the same key when configuring the FortiGate.

Configure Phase 1 with 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 2.

Configure Phase 2 with 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 1.

Set the Local Networks and Remote Networks.

Review the configuration before you click Finish.

If prompted, Send the CLI commands to the device.

The tunnel configuration on the Cisco ASA is complete.

Next you must configure the FortiGate with identical settings, except for the remote gateway and internal network.

2. Configuring the FortiGate using the IPsec VPN Wizard

On the FortiGate, go to VPN > IPsec > Wizard.

Enter a Name for the tunnel and select the Site to Site – Cisco template.

Set Remote Gateway to the IP address of the outside interface on the Cisco ASA. The Outgoing Interface should automatically populate.

Enter the same Pre-shared Key used in the Cisco ASA configuration.

Set Local Interface to the internal interface. The Local Subnets will automatically populate.

Set Remote Subnets to the IP address range of the inside network on the Cisco ASA and click Create.

The IPsec VPN Wizard automatically creates the required objects, policies, and static routes required for the tunnel to function properly.

3. Matching the encryption and authentication settings

On the FortiGate, go to VPN > IPsec > Tunnels, and Edit the tunnel you just created.

Select Convert to Custom Tunnel.

Under Phase 1 Proposal, configure 3DES Encryption and SHA Authentication.

Set the Diffie-Hellman Group to 2.

Under Phase 2 Proposal > Advanced, configure 3DES Encryption and SHA Authentication.

Set the Diffie-Hellman Group to 1.

When you are certain that the tunnel settings match the Cisco ASA configuration, click OK.

OPTION

SETTING
Phase 1 Encryption 3DES
Phase 1 Authentication SHA1
Phase 1 DH Group 2
Phase 2 Encryption 3DES
Phase 2 Authentication SHA1
Phase 2 DH Group 1

4. Results

On the FortiGate, go to VPN > Monitor > IPsec Monitor. Right-click on the Site to Site – Cisco VPN and select Bring Up.

From one of the internal networks, you should be able to successfully ping the other internal network.

You will be able to see Incoming and Outgoing Data in the FortiGate IPsec Monitor.

Go to Log & Report > Event Log > VPN to view the status of the tunnel negotiation.
Highlight an entry to view the status in greater detail.

5. Troubleshooting

For complete troubleshooting information, refer to IPsec VPN Troubleshooting. Below are some troubleshooting tips.

IPsec VPN troubleshooting tips

Configuration problem

Correction
Mode settings do not match. Select complementary mode settings.
Peer ID or certificate name of the remote peer or dialup client is not recognized by FortiGate VPN server. Check Phase 1 configuration. Depending on the Remote Gateway and Authentication Method settings, you have a choice of options to authenticate FortiGate dialup clients or VPN peers by ID or certificate name.

If you are configuring authentication parameters for FortiClient dialup clients, refer to the Authenticating FortiClient Dialup Clients Technical Note.

Preshared keys do not match. Reenter the preshared key.
Phase 1 or Phase 2 key exchange proposals are mismatched. Make sure that both VPN peers have at least one set of proposals in common for each phase.
NAT traversal settings are mismatched. Select or clear both options as required.

 

Keith Leroux

Keith Leroux

Technical Writer at Fortinet
Keith Leroux is a writer on the FortiOS 'techdocs' team in Ottawa, Ontario. He obtained a Bachelor's degree from Queen's University in English Language and Literature, and a graduate certificate in Technical Writing from Algonquin College. He spent a year teaching ESL in South Korea. Annyeong!
Keith Leroux
  • Was this helpful?
  • Yes   No
Note that if you change the Tunnel Group Name, Aggressive Mode will be required. Refer to the FortiOS Handbook IPsec VPN chapter for more information.