Technical Tip: How to setup IPsec VPN between FortiGate and Cisco Routers
Description
This article describes how to set up an IPsec VPN between a FortiGate and a Cisco router.
Scope
FortiGate.
Solution
Prerequisites:
- FortiGate (with basic configuration).
- Cisco router (with basic configuration).
- Internet connection on both ends.
Network Topology Overview:
Diagram showing the topology: FortiGate and Cisco router on different ends, connected via the internet with specific internal subnets behind them.
Configuration on the HO side (FortiGate):
VPN Configuration:
config vpn ipsec phase1-interface
edit "HO_Side"
set type static
set remote-gw 192.168.4.1
set authmethod psk
set psksecret "salon123"
set dhgrp 5
set peertype any
set proposal aes256-sha1
set interface wan
set nattraversal disable
set keylife 86400
next
end
config vpn ipsec phase2-interface
edit "HO_Phase2"
set phase1name "HO_Side"
set pfs enable
set dhgrp 5
set keylife-type seconds
set keylifeseconds 86400
set proposal aes256-sha1
set src-subnet 192.168.1.0/24
set dst-subnet 192.168.2.0/24
next
Note: It is important that the Phase 2 includes the specific subnets, and not 0.0.0.0/0. This configuration is not compatible with some Cisco devices. See this document for more information: IPsec VPN between a FortiGate and a Cisco ASA with multiple subnets.
Static Route Configuration:
config router static
edit 1
set dst 192.168.4.1/32
set gateway 192.168.3.2
set device "wan"
next
end
Firewall Policy Configuration:
config firewall policy
edit 1
set name "Outbound to HO_Side"
set srcintf "LAN" <-------- LAN refers to 192.168.1.0/24 Network.
set dstintf "HO_Side" <-------- HO_Side is the IPSec tunnel interface.
set action accept
set srcaddr "LAN Address" <-------- Address Object for LAN 192.168.1.0/24.
set dstaddr "Remote LAN Address" <-------- Address Object for Remote AN 192.168.2.0/24.
set schedule "always"
set service "ALL"
next
end
config firewall policy
edit 2
set name "Inbound to HO_Side"
set srcintf "HO_Side" <-------- HO_Side is the IPsec tunnel interface.
set dstintf "LAN" <-------- LAN refers to 192.168.1.0/24 Network.
set action accept
set srcaddr "Remote LAN Address" <-------- Address Object for Remote AN 192.168.2.0/24.
set dstaddr "LAN Address" <-------- Address Object for LAN 192.168.1.0/24.
set schedule "always"
set service "ALL"
next
end
Note:
- For more than one subnet under Phase 2 (both local and remote), it is recommended to configure each of them on a separate Phase 2: Technical Tip: IPsec VPN between FortiGate and other Vendor with multiple subnets
BranchOffice Router (Cisco):
conf t
ip route 192.168.1.0 255.255.255.0 192.168.4.2
ip route 192.168.3.0 255.255.255.0 192.168.4.2
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
exit
conf t
crypto isakmp key salon123 address 192.168.3.1
exit
conf t
crypto ipsec transform-set VPN-TS esp-aes 256 esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
set peer 192.168.3.1
set pfs group5
set security-association lifetime seconds 86400
set transform-set VPN-TS
match address 100
interface GigabitEthernet0/0/0
ip address 192.168.2.1 255.255.255.0
no shutdown
interface GigabitEthernet0/0/1(outgoing interface)
ip address 192.168.4.1 255.255.255.0
no shutdown
crypto map VPN-MAP
As a note:
The following are the two possibilities to configure a Cisco VPN when IKEv1 and IKEv2.
For IKEv1:
- Only secure policies have been provided below. If insecure settings such as MD5 hash or 3DES encryption are required, create a custom policy with a policy number higher than all those below
Show run crypto to see if the following are present:
crypto ikev1 policy 100
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 110
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
- Only secure transform-sets have been provided below. If insecure settings such as MD5 hash or 3DES encryption are required, create a custom transform-set.
crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set AES192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set AES-SHA esp-aes esp-sha-hmac
crypto map VPNMAP interface OUTSIDE
crypto isakmp identity address
crypto ikev1 enable OUTSIDE
Section 2 Syntax required for all new site-to-site VPN deployments:
object-group network VPN-LOCAL-2<xx>
network-object <LOCAL NETWORK>
network-object <LOCAL NETWORK>
object-group network VPN-REMOTE-2<xx>
network-object <REMOTE NETWORK>
network-object <REMOTE NETWORK>
Access list
access-list 2<xx> permit ip object-group VPN-LOCAL-2<xx> object-group VPN-REMOTE-2<xx>
The following NAT statement is not used if the local encryption domain (VPN-LOCAL-2<xx>) is using public addresses
nat (any,outside) source static VPN-LOCAL-2<xx> VPN-LOCAL-2<xx> destination static VPN-REMOTE-2<xx> VPN-REMOTE-2<xx> no-proxy-arp route-lookup
Create a Crypto map and a Tunnel.
crypto map VPNMAP 2<xx> match address 2<xx>
crypto map VPNMAP 2<xx> set peer <PEER IP>
crypto map VPNMAP 2<xx> set ikev1 transform-set <TRANSFORM-SET>
tunnel-group <PEER IP> type ipsec-l2l
tunnel-group <PEER IP> ipsec-attributes
ikev1 pre-shared-key <RANDOM 13 ALPHANUMERIC CHARACTERS OR CUSTOMER SPECIFIED>
Optional:
crypto map VPNMAP 2<xx> set security-association lifetime seconds 3600
crypto map VPNMAP 2<xx> set security-association lifetime kilobytes unlimited
crypto map VPNMAP 2<xx> set pfs group##
For IKEv2:
object-group network VPN-LOCAL-2<xx>
network-object <LOCAL NETWORK>
network-object <LOCAL NETWORK>
object-group network VPN-REMOTE-2<xx>
network-object <REMOTE NETWORK>
network-object <REMOTE NETWORK>
access-list 2<xx> permit ip object-group VPN-LOCAL-2<xx> object-group VPN-REMOTE-2<xx>
The following NAT statement is not used if the local encryption domain (VPN-LOCAL-2<xx>) is using public addresses.
nat (any,outside) source static VPN-LOCAL-2<xx> VPN-LOCAL-2<xx> destination static VPN-REMOTE-2<xx> VPN-REMOTE-2<xx> no-proxy-arp route-lookup
Only secure policies have been provided below. If insecure settings such as MD5 hash or 3DES encryption are required, create a custom policy with a policy number higher than all those below.
Only secure transform-sets have been provided below. If insecure settings such as MD5 hash or 3DES encryption are required, create and use a custom IPsec proposal.
crypto ikev2 policy 100
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256 sha
group 20 19 14 5 2
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-PROPOSAL
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity sha-1
crypto ikev2 policy <#>
encryption aes-256 aes-gcm-192 aes-gcm
group 21 20 19
prf sha512 sha384 sha256
lifetime seconds 86400
crypto ikev2 policy <#>
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256
group 21 20 19
prf sha512 sha384 sha256
lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-SECURE
protocol esp encryption aes-256 aes-192 aes-aes-256 aes-192 aes
protocol esp integrity sha-512 sha-384 sha-256
crypto map VPNMAP 2<xx> match address 2<xx>
crypto map VPNMAP 2<xx> set peer <PEER IP>
crypto map VPNMAP 2<xx> set ikev2 ipsec-proposal <IPSEC-PROPOSAL>
Optional:
crypto map VPNMAP 2<xx> set security-association lifetime seconds 3600
crypto map VPNMAP 2<xx> set security-association lifetime kilobytes unlimited
crypto map VPNMAP 2<xx> set pfs group##
crypto map VPNMAP interface OUTSIDE
crypto isakmp identity address
crypto ikev2 enable OUTSIDE
tunnel-group <PEER IP> type ipsec-l2l
tunnel-group <PEER IP> ipsec-attributes
ikev2 local-authentication pre-shared-key <RANDOM 13 ALPHANUMERIC CHARACTERS OR CUSTOMER SPECIFIED>
ikev2 remote-authentication pre-shared-key <RANDOM 13 ALPHANUMERIC CHARACTERS OR CUSTOMER SPECIFIED>