Site-to-Site IPsec VPN Between a FortiGate and a Cisco ASA

In this recipe, we will configure a site-to-site IPsec VPN tunnel between a FortiGate 90D and a Cisco ASA 5505.

Using FortiOS 5.2 and Cisco ASDM 7.1, the example demonstrates how to configure the tunnel on each site, assuming that both devices are configured with appropriate internal (inside) and external (outside) interfaces.

Note that this example uses the default encryption and authentication (SA proposal) settings of the Cisco ASDM IPsec VPN wizard. These are not necessarily the recommended settings.

We will use the wizards to configure each end of the tunnel as it is much quicker. However, some customization will be required on the FortiGate to ensure that its SA proposal matches the Cisco ASA for each Phase. One of the most common reasons that tunnels between FortiGates and third-party products don’t work is because of mismatched settings.

1. Configuring the Cisco ASA using the IPsec VPN Wizard

In the Cisco ASDM, under the Wizard menu, select IPsec VPN Wizard.

Select Site-to-site, with VPN Tunnel Interface set to outside, and click Next.

In the Peer IP Address field, enter the IP address of the FortiGate unit.

Under Authentication Method, enter a secure Pre-Shared Key. You will use the same key when configuring the FortiGate.

Configure Phase 1 with 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 2.

Configure Phase 2 with 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 1.

Set the Local Networks and Remote Networks.

Review the configuration before you click Finish.

If prompted, Send the CLI commands to the device.

The tunnel configuration on the Cisco ASA is complete.

Next you must configure the FortiGate with identical settings, except for the remote gateway and internal network.

2. Configuring the FortiGate using the IPsec VPN Wizard

On the FortiGate, go to VPN > IPsec > Wizard.

Enter a Name for the tunnel and select the Site to Site – Cisco template.

Set Remote Gateway to the IP address of the outside interface on the Cisco ASA. The Outgoing Interface should automatically populate.

Enter the same Pre-shared Key used in the Cisco ASA configuration.

Set Local Interface to the internal interface. The Local Subnets will automatically populate.

Set Remote Subnets to the IP address range of the inside network on the Cisco ASA and click Create.

The IPsec VPN Wizard automatically creates the required objects, policies, and static routes required for the tunnel to function properly.

3. Matching the encryption and authentication settings

On the FortiGate, go to VPN > IPsec > Tunnels, and Edit the tunnel you just created.

Select Convert to Custom Tunnel.

Under Phase 1 Proposal, configure 3DES Encryption and SHA Authentication.

Set the Diffie-Hellman Group to 2.

Under Phase 2 Proposal > Advanced, configure 3DES Encryption and SHA Authentication.

Set the Diffie-Hellman Group to 1.

When you are certain that the tunnel settings match the Cisco ASA configuration, click OK.


Phase 1 Encryption 3DES
Phase 1 Authentication SHA1
Phase 1 DH Group 2
Phase 2 Encryption 3DES
Phase 2 Authentication SHA1
Phase 2 DH Group 1

4. Results

On the FortiGate, go to VPN > Monitor > IPsec Monitor. Right-click on the Site to Site – Cisco VPN and select Bring Up.

From one of the internal networks, you should be able to successfully ping the other internal network.

You will be able to see Incoming and Outgoing Data in the FortiGate IPsec Monitor.

Go to Log & Report > Event Log > VPN to view the status of the tunnel negotiation.
Highlight an entry to view the status in greater detail.

5. Troubleshooting

For complete troubleshooting information, refer to IPsec VPN Troubleshooting. Below are some troubleshooting tips.

IPsec VPN troubleshooting tips

Configuration problem

Mode settings do not match. Select complementary mode settings.
Peer ID or certificate name of the remote peer or dialup client is not recognized by FortiGate VPN server. Check Phase 1 configuration. Depending on the Remote Gateway and Authentication Method settings, you have a choice of options to authenticate FortiGate dialup clients or VPN peers by ID or certificate name.

If you are configuring authentication parameters for FortiClient dialup clients, refer to the Authenticating FortiClient Dialup Clients Technical Note.

Preshared keys do not match. Reenter the preshared key.
Phase 1 or Phase 2 key exchange proposals are mismatched. Make sure that both VPN peers have at least one set of proposals in common for each phase.
NAT traversal settings are mismatched. Select or clear both options as required.


Fortinet Technical Documentation

Contact Fortinet Technical Documentation at
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

Note that if you change the Tunnel Group Name, Aggressive Mode will be required. Refer to the FortiOS Handbook IPsec VPN chapter for more information.