Configuring IPsec VPN With A FortiGate and A Cisco ASA

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

Configuring IPsec VPN with a FortiGate and a

Cisco ASA
The following recipe describes how to configure a site-to-site IPsec VPN tunnel.
In this example, one site is behind a FortiGate and another site is behind a Cisco
ASA. Using FortiOS 5.0 and Cisco ASDM 6.4, the example demonstrates how to
configure the tunnel between each site, avoiding overlapping subnets, so that a
secure tunnel can be established with the desired security profiles applied. The
procedure assumes that both devices are configured with appropriate internal and
external interfaces.
1. Configuring the Cisco device using the IPsec VPN Wizard
2. Configuring the FortiGate tunnel phases
3. Configuring the FortiGate policies
4. Configuring the static route in the FortiGate
5. Results

Site 1
FortiGate
LAN

Site 2
IPsec VPN

Internet

IPsec VPN

CISCO ASA
LAN

Configuring the Cisco


device using the IPsec VPN
Wizard
In the Cisco ASDM, under the Wizard menu,
select IPsec VPN Wizard.

From the options that appear, select Site-tosite, with the VPN Tunnel Interface set to
outside, then click Next.

In the Peer IP Address field, enter the IP


address of the FortiGate unit through which
the SSL VPN traffic will flow.
Under Authentication Method, enter a
secure Pre-Shared Key. You will use the
same key when configuring the FortiGate
tunnel phases. Choose something more
secure than Password.
When you are satisfied, click Next.

The next steps in the IPsec VPN Wizard is to


establish the tunnel phases 1 and 2.
The encryption settings established here
must match the encryption settings
configured later in the FortiGate.
Configure Phase 1 with AES-256
Encryption and SHA Authentication.
Set the Diffie-Hellman Group to 5.

Configure Phase 2 with AES-256


Encryption and SHA Authentication.
Enable PFS and set the Diffie-Hellman
Group to 2.
Click Next.

Set the Local Network and Remote


Network.

Click Next and review the configuration


before you click Finish.
The tunnel configuration on the Cisco ASA
is complete. Now you must configure the
FortiGate with similar settings, except for the
remote gateway.

Configuring the FortiGate


tunnel phases
In the FortiOS GUI, navigate to VPN >
IPsec > Auto Key (IKE) and select Create
Phase 1.
Name the tunnel, statically assign the IP
Address of the remote gateway, and set the
Local Interface to wan1.
Select Preshared Key for Authentication
Method and enter the same preshared key
you chose when configuring the Cisco IPsec
VPN Wizard.
Configure this phase to match the encryption
settings configured on the Cisco device and
click OK.

Select Create Phase 2.


Identify Phase 1, which you just configured,
and ensure that the encryption settings
match the Phase 2 encryption settings
configured on the Cisco device.
Optionally, under Quick Mode Selector,
specify the Source address and
Destination address at the endpoints of
the tunnel.

Configuring the FortiGate


policies
Navigate to Policy > Policy > Policy and
create firewall policies that allow inbound
and outbound traffic over the tunnel.
In the first (outbound) policy, set the
Incoming Interface to lan and set the
Source Address to all.
Set the Outgoing Interface to the tunnel
interface and set the Destination Address
to all. Configure the Schedule and Service
as desired.
Create the second (inbound) policy to allow
traffic to flow in the opposite direction, and
configure the Schedule and Service as
desired.

Configuring the static route


in the FortiGate
Navigate to Router > Static > Static
Routes and select Create New.
Create a static route with the Destination
IP/Mask matching the address of the Cisco
local network (by default, 192.168.1.0).
Under Device, select the site-to-site tunnel,
and click OK.

Results
The tunnel should now be active. On the
FortiGate, verify that the tunnel is up by
navigating to VPN > Monitor > IPsec
Monitor.
The IPsec Monitor table will indicate the
source and destination addresses, and the
status of the tunnel (up or down) and its
uptime.
For more detailed tunnel information, go to
Log & Report > Event Log > VPN and
view the table.

Select the tunnel entry in the table to view


the information in greater detail.

You might also like