Route-Based VPN Tunnel FortiGate <-> Cisco ASA

More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a FortiGate firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN tunnels (which is great!), we have IKEv2 running everywhere and enhanced security proposals. Hence, it’s time for an update:

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–

My Setup

This is my setup for this tutorial: (Yes, public IPv4 addresses behind the Forti.)

I am using a Fortinet FortiWiFi FWF-61E with FortiOS v6.2.5 build1142 (GA) and a Cisco ASA 5515 with version 9.12(3)12 and ASDM 7.14(1). These are the VPN parameters:

  • Route-based VPN, that is: numbered tunnel interface and real route entries for the network(s) to the other side. But no proxy-IDs aka traffic selection aka crypto map. Thank goodness for that.
  • The tunnel interface on the Forti is added during the VPN setup automatically. However, you have to set the IP address on the tunnel interface manually after that. The static route on the ASA needs an IP address as the gateway.
  • IKEv2 (no distinction anymore between main or aggressive mode as with IKEv1)
  • PSK: 30 chars alphanumeric, generated with a password generator! (ref)
  • IKE crypto/policies:
    • Diffie-Hellman group 21
    • AES-256-GCM
    • SHA-512 (you could use SHA-256 if you like)
    • 8 hours
  • IPsec crypto/proposals/transform sets:
    • AES-256-GCM
    • SHA-512 (again, you can use SHA-256 as well)
    • Diffie-Hellman group 21
    • 1 hour
  • No NAT between the internal networks (of course not ;))!

FortiGate

You can do the configuration through the GUI:

or through the CLI: (incl. the zone commands <- can be omitted if you aren’t using zones)

 

Cisco ASA

Same on the ASA, either via the “GUI”:

or via classical CLI commands: (The ACL is omitted.)

 

Monitoring

Some screenshots from the FortiGate:

as well as CLI outputs:

And some screenshots from the ASA: (the third one showing the logs after a manual “logout”)

as well as CLI outputs:

 

PS: Sorry for being legacy IP only this time. ;(

Photo by Casey Horner on Unsplash.

Leave a Reply

Your email address will not be published. Required fields are marked *