IPsec Site-to-Site VPN FortiGate <-> Cisco Router

This blog post shows how to configure a site-to-site IPsec VPN between a FortiGate firewall and a Cisco router. The FortiGate is configured via the GUI – the router via the CLI. I am showing the screenshots/listings as well as a few troubleshooting commands.

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–

The VPN tunnel shown here is a route-based tunnel. That is, I do NOT use proxy-ids in phase 2 for the routing decision (which would be policy-based), but tunnel-interfaces and static routes. This applies to both devices.

The FortiGate firewall in my lab is a FortiWiFi 90D (v5.2.2), the Cisco router an 2811 with software version 12.4(24)T8.


The following figure shows the lab for this VPN:

S2S VPN FortiGate - Cisco Router w VTI Laboratory


These are the steps for the FortiGate firewall. Refer to the descriptions under the screenshots for further details:

Cisco Router

The Cisco router ist configured with the following commands:



The FortiGate has an IPsec Monitor status of “Up”,

VPN FG-Router - FG07 IPsec Monitor

and can be queried via the CLI, too:

The Cisco router show commands are the following:



21 thoughts on “IPsec Site-to-Site VPN FortiGate <-> Cisco Router

  1. I’m waiting for a blog post that represent the internet speed limits of cisco / fortigate / Juniper firewalls . :-)

  2. what is the different between tunnel to peer?
    and what if i want to set this configuration on dialer interface?


  3. This article seems to be the reference for IPsec Site-to-Site (route-based) VPN between FortiGate and Cisco Router.
    This helped me greatly to get a VPN tunnel up between my 2 devices (Fortigate 60C and Cisco 881W).
    I can ping from the Fortigate LAN to the Cisco LAN however I cannot ping from the Cisco to the Fortigate. I guess I am missing some configuration on the Cisco side.

    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key MyPresharedKey address
    crypto isakmp keepalive 10 5
    crypto ipsec transform-set TS esp-3des esp-md5-hmac
    mode tunnel
    crypto ipsec profile 3DESMD5
    set transform-set TS
    set pfs group2

    interface Tunnel161
    ip unnumbered FastEthernet4
    tunnel source
    tunnel mode ipsec ipv4
    tunnel destination
    tunnel protection ipsec profile 3DESMD5

    interface FastEthernet4
    description OUTSIDE
    ip address
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto

    interface Vlan1
    description INTERNAL
    ip address
    ip nat inside
    no ip virtual-reassembly in

    ip nat inside source list 1 interface FastEthernet4 overload
    ip route
    ip route Tunnel161

    access-list 1 permit

    Any help would be greatly appreciated.

    1. Well, if the ping in one direction works (inclusive the echo-reply), your VPN is woring. Good.
      Have you reviewed all policies? Please verify the policies on the Forti for both directions!

      1. Hi Johannes,
        Thanks for your reply. You were right there was a policy issue on the FG side. All fixed now.
        Thanks again.

      2. Hi Johannes,
        great post ipsec is up and running.
        However i am facing the same issue unable to reach the remote LAN gw from cisco\cisco’s LAN pc’s.
        policy is on both direction, also tried VPN-ANY-ACCEPT

        1. If your outside interface is public IP – be sure you exclude the VPN tunnel traffic from being NAT’ed, otherwise your Cisco -> Fortigate traffic will work, but the return traffic will go out to the Internet and not back via the tunnel….

  4. After configuring the cisco router for fotigate100c based on above example the protocol goes down every couple of mins.

    Does anyone has an idea on this ?

  5. Great post. I only had one issue. Everytime I rebooted the Cisco (Cisco 2911), my tunnels would drop. I would have to do a “no ip route Tunnel161” then “ip route Tunnel161”
    and it worked.

    I fixed it by removing the ip unumbered portion and giving it an ip and now it works on reboot. So my Cisco CLI commands looked like this:

    interface Tunnel161
    ip address
    tunnel source
    tunnel destination
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile FG

  6. Help Please urgent
    how to convert this config from cisco to frtigate

    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 2
    crypto isakmp key Keeeeeeeey address
    crypto isakmp keepalive 10 periodic
    crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
    crypto map Keeeeeeeey 10 ipsec-isakmp
    set peer
    set transform-set esp-aes-sha

    interface Tunnel0
    ip address
    tunnel source
    tunnel destination

    1. For the benefit of others:

      ISAKMP Policy refers to ‘Phase 1’, this is the same when using a VTI (As per this tutorial) or using a Crypto Map as per your post – which is an example of GRE over IPSec.

      Transform Set refers to ‘Phase 2 encryption / Hashing’

      Your ‘Tunnel’ interface on the fortigate will be similar to below:

      config system gre-tunnel
      edit “GRE-Tunnel-Underlay”
      set interface “WAN1”
      set remote-gw
      set local-gw

      config system interface
      edit “GRE-Overlay”
      set vdom “root”
      set ip
      set allowaccess ping
      set type tunnel
      set remote-ip
      set interface “WAN1”

      It’s not clear from your example as to what traffic you’re matching using the crypto map and whether the Crypto map has been applied to a physical interface either. It may that you’ve only provided the required output.

  7. I am trying to bring up an IPSec VPN between a fortigate (5.2) and a Cisco Router (IOS 15) using VTIs as per your tutorial.

    Out of interest what Cisco router and version was your tutorial based on?

    The issue I’m having is that although Phase 1 (ISAKM establishes, Phase 2 does not come up.

    The cisco reports this error:

    *Nov 30 14:50:17.364: IPSEC(ipsec_process_proposal): invalid local address
    *Nov 30 14:50:17.364: ISAKMP:(1005): IPSec policy invalidated proposal with error 8
    *Nov 30 14:50:17.368: ISAKMP:(1005): phase 2 SA policy not acceptable! (local remote

    The fortigate reports this issue:

    2017-11-30 06:43:06 ike 0:VPN-to-R1:34: notify msg received: NO-PROPOSAL-CHOSEN
    2017-11-30 06:43:06 ike 0:VPN-to-R1:34:R1-P2:693: IPsec SPI 0fad1c1d match
    2017-11-30 06:43:06 ike 0:VPN-to-R1:34:R1-P2:693: delete phase2 SPI 0fad1c1d

    Any suggestions at all would be appreciated.

    1. Resolved Now, the provided output was with a config error not previously present and not accurate of the actual issue I was having – IPSec VPNs and interactions with VRF Lite.

  8. kindly any one can help me for static ip to dynamic ip vpn
    FortiGate on HQ i has static IP address but remote side i has cisco 1841 router with dynamic IP address .

  9. Anyone face IPSec Configuration issue with Cisco 2901(F: version 15.1(2)TS and Fortigate (F: Version 6.06)

    Please share details for this issse

Leave a Reply

Your email address will not be published. Required fields are marked *