Route-Based VPN Tunnel FortiGate <-> Cisco ASA

More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a FortiGate firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN tunnels (which is great!), we have IKEv2 running everywhere and enhanced security proposals. Hence, it’s time for an update:

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–

My Setup

This is my setup for this tutorial: (Yes, public IPv4 addresses behind the Forti.)

I am using a Fortinet FortiWiFi FWF-61E with FortiOS v6.2.5 build1142 (GA) and a Cisco ASA 5515 with version 9.12(3)12 and ASDM 7.14(1). These are the VPN parameters:

  • Route-based VPN, that is: numbered tunnel interface and real route entries for the network(s) to the other side. But no proxy-IDs aka traffic selection aka crypto map. Thank goodness for that.
  • The tunnel interface on the Forti is added during the VPN setup automatically. However, you have to set the IP address on the tunnel interface manually after that. The static route on the ASA needs an IP address as the gateway.
  • IKEv2 (no distinction anymore between main or aggressive mode as with IKEv1)
  • PSK: 30 chars alphanumeric, generated with a password generator! (ref)
  • IKE crypto/policies:
    • Diffie-Hellman group 21
    • AES-256-GCM
    • SHA-512 (you could use SHA-256 if you like)
    • 8 hours
  • IPsec crypto/proposals/transform sets:
    • AES-256-GCM
    • SHA-512 (again, you can use SHA-256 as well)
    • Diffie-Hellman group 21
    • 1 hour
  • No NAT between the internal networks (of course not ;))!

FortiGate

You can do the configuration through the GUI:

or through the CLI: (incl. the zone commands <- can be omitted if you aren’t using zones)

 

Cisco ASA

Same on the ASA, either via the “GUI”:

or via classical CLI commands: (The ACL is omitted.)

 

Monitoring

Some screenshots from the FortiGate:

as well as CLI outputs:

And some screenshots from the ASA: (the third one showing the logs after a manual “logout”)

as well as CLI outputs:

PS: Sorry for being legacy IP only this time. ;(

Photo by Casey Horner on Unsplash.

One thought on “Route-Based VPN Tunnel FortiGate <-> Cisco ASA

  1. I have a routed VPN set up between a FG and ASA 5525. The tunnel comes up but there is no data received on the FG side of the tunnel. I can ping the tunnel interface on both firewalls locally but not remotely. It is set up same as yours… not sure what is going on here.

    FG Config

    config system interface
    edit “KG-Main”
    set vdom “root”
    set ip 169.254.0.250 255.255.255.255
    set allowaccess ping
    set type tunnel
    set remote-ip 169.254.0.249 255.255.255.252
    set snmp-index 8
    config ipv6
    set ip6-send-adv enable
    set ip6-other-flag enable
    end
    set interface “port1”
    next

    config vpn ipsec phase1-interface
    next
    edit “KG-Main”
    set interface “port1”
    set ike-version 2
    set peertype any
    set net-device disable
    set proposal aes256gcm-prfsha512
    set dhgrp 21
    set remote-gw 1.1.1.1
    set psksecret xxxxx
    next
    end
    config vpn ipsec phase2-interface
    edit “KG-Main”
    set phase1name “KG-Main”
    set proposal aes256gcm
    set dhgrp 21
    set src-addr-type name
    set dst-addr-type name
    set keylifeseconds 3600
    set src-name “all”
    set dst-name “all”
    next
    end

    fortigate1 # get vpn ike gateway KG-Main

    vd: root/0
    name: KG-Main
    version: 2
    interface: port1 3
    addr: 2.2.2.2:4500 -> 1.1.1.1:4500
    created: 453s ago
    peer-id: main.krueger.de
    peer-auth: no
    IKE SA created: 1/1 established: 1/1 time: 190/190/190 ms
    IPsec SA created: 1/1 established: 1/1 time: 0/0/0 ms

    id/spi: 122 804a845040348628/43b80f11e4259ad4
    direction: responder
    status: established 453-452s ago = 190ms
    proposal: aes256gcm
    SK_ei: c8f642478cf00102-3ca79b53e769a0ca-8c3e64d8fc6e6878-64e38bebc769873c-daec86e8
    SK_er: 39671dc0e37b947a-35f0b35484c15f94-77af132ef506b74f-c30b21411f907312-f2f09a3a
    SK_ai:
    SK_ar:
    lifetime/rekey: 86400/85677
    DPD sent/recv: 00000001/00000001

    fortigate1 # get vpn ipsec tunnel name KG-Main

    gateway
    name: ‘KG-Main’
    local-gateway: 2.2.2.2:4500 (static)
    remote-gateway: 1.1.1.1:4500 (static)
    dpd-link: on
    mode: ike-v2
    interface: ‘port1’ (3)
    rx packets: 0 bytes: 0 errors: 0
    tx packets: 5 bytes: 420 errors: 0
    dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
    nat traversal mode: keep-alive interval: 10
    selectors
    name: ‘KG-Main’
    auto-negotiate: disable
    mode: tunnel
    src: 0:0.0.0.0/0.0.0.0:0
    dst: 0:0.0.0.0/0.0.0.0:0
    SA
    lifetime/rekey: 3600/2806
    mtu: 8939
    tx-esp-seq: 6
    replay: enabled
    qat: 0
    inbound
    spi: 9f02578f
    enc: aes-gc 469ec9f9ab955145fcbf4861bd31a7008c41ab2178df03eb23cd1cd4658cbc4b50c1abf0
    auth: null
    outbound
    spi: 8185487b
    enc: aes-gc 25bac2347c208ddf5fe6b317bd8a670727bd041564cf0618951d3b31142d0f6c9f50b735
    auth: null

    Cisco Config

    interface Tunnel98

    nameif tunnel-int
    ip address 169.254.0.249 255.255.255.252
    tunnel source interface outside
    tunnel destination 2.2.2.2
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile ipsec-prop-vpn

    crypto ipsec ikev2 ipsec-proposal AES-256-GCM
    protocol esp encryption aes-gcm-256
    protocol esp integrity sha-512

    crypto ipsec profile ipsec-prop-vpn
    set ikev2 ipsec-proposal AES-256-GCM
    set pfs group21
    set security-association lifetime seconds 3600

    crypto ikev2 policy 2
    encryption aes-gcm-256
    integrity null
    group 21 24
    prf sha512
    lifetime seconds 86400

    tunnel-group 2.2.2.2 type ipsec-l2l
    tunnel-group 2.2.2.2 general-attributes
    default-group-policy KG-VPN-STATIC
    tunnel-group 2.2.2.2 ipsec-attributes
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****

    IKEv2 SAs:

    Session-id:71467, Status:UP-ACTIVE, IKE count:1, CHILD count:1

    Tunnel-id Local Remote Status Role
    2858489959 1.1.1.1/4500 2.2.2.2/4500 READY INITIATOR
    Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:21, Auth sign: PSK, Auth verify: PSK
    Life/Active Time: 86400/53 sec
    Child sa: local selector 0.0.0.0/0 – 255.255.255.255/65535
    remote selector 0.0.0.0/0 – 255.255.255.255/65535
    ESP spi in/out: 0x75d65f1e/0x9f0257a9

    main# ping 169.254.0.249
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 169.254.0.249, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    main# ping 169.254.0.250
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 169.254.0.250, timeout is 2 seconds:
    ?????
    Success rate is 0 percent (0/5)
    main#

Leave a Reply

Your email address will not be published. Required fields are marked *