Route-Based VPN Tunnel FortiGate <-> Cisco ASA

More than 6 years ago (!) I published a tutorial on how to set up an IPsec VPN tunnel between a FortiGate firewall and a Cisco ASA. As time flies by, ASA is now able to terminate route-based VPN tunnels (which is great!), we have IKEv2 running everywhere and enhanced security proposals. Hence, it’s time for an update:

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–

My Setup

This is my setup for this tutorial: (Yes, public IPv4 addresses behind the Forti.)

I am using a Fortinet FortiWiFi FWF-61E with FortiOS v6.2.5 build1142 (GA) and a Cisco ASA 5515 with version 9.12(3)12 and ASDM 7.14(1). These are the VPN parameters:

  • Route-based VPN, that is: numbered tunnel interface and real route entries for the network(s) to the other side. But no proxy-IDs aka traffic selection aka crypto map. Thank goodness for that.
  • The tunnel interface on the Forti is added during the VPN setup automatically. However, you have to set the IP address on the tunnel interface manually after that. The static route on the ASA needs an IP address as the gateway.
  • IKEv2 (no distinction anymore between main or aggressive mode as with IKEv1)
  • PSK: 30 chars alphanumeric, generated with a password generator! (ref)
  • IKE crypto/policies:
    • Diffie-Hellman group 21
    • AES-256-GCM
    • SHA-512 (you could use SHA-256 if you like)
    • 8 hours
  • IPsec crypto/proposals/transform sets:
    • AES-256-GCM
    • SHA-512 (again, you can use SHA-256 as well)
    • Diffie-Hellman group 21
    • 1 hour
  • No NAT between the internal networks (of course not ;))!


You can do the configuration through the GUI:

or through the CLI: (incl. the zone commands <- can be omitted if you aren’t using zones)


Cisco ASA

Same on the ASA, either via the “GUI”:

or via classical CLI commands: (The ACL is omitted.)



Some screenshots from the FortiGate:

as well as CLI outputs:

And some screenshots from the ASA: (the third one showing the logs after a manual “logout”)

as well as CLI outputs:

PS: Sorry for being legacy IP only this time. ;(

Photo by Casey Horner on Unsplash.

One thought on “Route-Based VPN Tunnel FortiGate <-> Cisco ASA

  1. I have a routed VPN set up between a FG and ASA 5525. The tunnel comes up but there is no data received on the FG side of the tunnel. I can ping the tunnel interface on both firewalls locally but not remotely. It is set up same as yours… not sure what is going on here.

    FG Config

    config system interface
    edit “KG-Main”
    set vdom “root”
    set ip
    set allowaccess ping
    set type tunnel
    set remote-ip
    set snmp-index 8
    config ipv6
    set ip6-send-adv enable
    set ip6-other-flag enable
    set interface “port1”

    config vpn ipsec phase1-interface
    edit “KG-Main”
    set interface “port1”
    set ike-version 2
    set peertype any
    set net-device disable
    set proposal aes256gcm-prfsha512
    set dhgrp 21
    set remote-gw
    set psksecret xxxxx
    config vpn ipsec phase2-interface
    edit “KG-Main”
    set phase1name “KG-Main”
    set proposal aes256gcm
    set dhgrp 21
    set src-addr-type name
    set dst-addr-type name
    set keylifeseconds 3600
    set src-name “all”
    set dst-name “all”

    fortigate1 # get vpn ike gateway KG-Main

    vd: root/0
    name: KG-Main
    version: 2
    interface: port1 3
    addr: ->
    created: 453s ago
    peer-auth: no
    IKE SA created: 1/1 established: 1/1 time: 190/190/190 ms
    IPsec SA created: 1/1 established: 1/1 time: 0/0/0 ms

    id/spi: 122 804a845040348628/43b80f11e4259ad4
    direction: responder
    status: established 453-452s ago = 190ms
    proposal: aes256gcm
    SK_ei: c8f642478cf00102-3ca79b53e769a0ca-8c3e64d8fc6e6878-64e38bebc769873c-daec86e8
    SK_er: 39671dc0e37b947a-35f0b35484c15f94-77af132ef506b74f-c30b21411f907312-f2f09a3a
    lifetime/rekey: 86400/85677
    DPD sent/recv: 00000001/00000001

    fortigate1 # get vpn ipsec tunnel name KG-Main

    name: ‘KG-Main’
    local-gateway: (static)
    remote-gateway: (static)
    dpd-link: on
    mode: ike-v2
    interface: ‘port1’ (3)
    rx packets: 0 bytes: 0 errors: 0
    tx packets: 5 bytes: 420 errors: 0
    dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
    nat traversal mode: keep-alive interval: 10
    name: ‘KG-Main’
    auto-negotiate: disable
    mode: tunnel
    src: 0:
    dst: 0:
    lifetime/rekey: 3600/2806
    mtu: 8939
    tx-esp-seq: 6
    replay: enabled
    qat: 0
    spi: 9f02578f
    enc: aes-gc 469ec9f9ab955145fcbf4861bd31a7008c41ab2178df03eb23cd1cd4658cbc4b50c1abf0
    auth: null
    spi: 8185487b
    enc: aes-gc 25bac2347c208ddf5fe6b317bd8a670727bd041564cf0618951d3b31142d0f6c9f50b735
    auth: null

    Cisco Config

    interface Tunnel98

    nameif tunnel-int
    ip address
    tunnel source interface outside
    tunnel destination
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile ipsec-prop-vpn

    crypto ipsec ikev2 ipsec-proposal AES-256-GCM
    protocol esp encryption aes-gcm-256
    protocol esp integrity sha-512

    crypto ipsec profile ipsec-prop-vpn
    set ikev2 ipsec-proposal AES-256-GCM
    set pfs group21
    set security-association lifetime seconds 3600

    crypto ikev2 policy 2
    encryption aes-gcm-256
    integrity null
    group 21 24
    prf sha512
    lifetime seconds 86400

    tunnel-group type ipsec-l2l
    tunnel-group general-attributes
    default-group-policy KG-VPN-STATIC
    tunnel-group ipsec-attributes
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****

    IKEv2 SAs:

    Session-id:71467, Status:UP-ACTIVE, IKE count:1, CHILD count:1

    Tunnel-id Local Remote Status Role
    2858489959 READY INITIATOR
    Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:21, Auth sign: PSK, Auth verify: PSK
    Life/Active Time: 86400/53 sec
    Child sa: local selector –
    remote selector –
    ESP spi in/out: 0x75d65f1e/0x9f0257a9

    main# ping
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    main# ping
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
    Success rate is 0 percent (0/5)

Leave a Reply

Your email address will not be published. Required fields are marked *