Fortigate IPSec tunnel with Cisco 2900 Router

Forum|Forum|12 years ago
April 4, 2014
3 replies
8738 views

Hello Everyone, New post for me. I have recently been tasked to build IPSec tunnels from our production Fortigate 5K' s to Cisco 2900 routers in diverse data centers over MPLS. While I understand the concepts and have built tunnels from Fortigate to Fortigate and Cisco to Cisco, I have not performed this operation between the two. I am also curious if anyone has not only implemented this configuration, but also built GRE tunnels to exchange BGP. Is there is any need, or advantage to utilize a different physical internal port on the Fortigate to terminate these tunnels, or use the existing internal port? Unfortunately this is one of those projects where management has to have it " yesterday" and to save time I wanted to reach out to the group and solicit advice. Thanks, George

emnoc

New Member

Yes it' s possible and should be no different than any other cisco router. There' s tons of examples on cisco.com, google or this site that you can follow. Just remember the proxy-ids on the fortigate needs to match exactly the cisco ACL. A selector of 0.0.0.0/0:0 is not going to work. Define your local and remote subnets and please, please, please do this as phase{1-2}-interface and route-mode. Other gotchas to watch out for, on the cisco if your are doing any SNAT, you will need to ensure you NONAT the vpn encryption traffic. So you might have to adjust the NAT access-list to include for local-source to remote-network before your NAT' ing.

TankAuthor

New Member

Hello emnoc, Thanks for the reply. As you mentioned I was able to locate information on the Fortinet Knowledge Base. I located a section within the FortiOS Handbook, specifically for 4.0 MR3. It is titled " GRE over IPsec (Cisco VPN) configurations" and am using that as a test template. Unfortunately, I am experiencing issues with the Phase 1 negotiations and determined GRE is the cause. From the Fortigate GRE side I am unable to ping the far end GRE tunnel IP on the Cisco. At the moment I am trying to identify the specific " diag" commands to run that will allow me to examine the GRE operation. Once I get that figured out, I can then move to the IPsec process. Feel free to reply with any GRE diag commands. Thanks, George

Phill_Proud

New Member

It might be better if you post your (sanitized) configs here for both the FG and 2900 side. I have both interface mode and policy based tunnels between 2911' s and FG' s all over the place, as well as ASAs, Sonicwalls, etc, I' m sure we can point you in the right direction. This is an example of the Cisco side of a route based tunnel, protected by IPSEC. The Fortigate side should be pretty straight forward.

crypto isakmp policy 1   encr aes 256   authentication pre-share   group 5   lifetime 28800    crypto isakmp key yourkeyhere address x.x.x.x    crypto ipsec transform-set TS-IPSEC-FG esp-aes 256 esp-sha-hmac    crypto ipsec profile IPSEC-FG   set security-association lifetime seconds 28800   set transform-set TS-IPSEC-FG      interface Tunnel0   description ** to Fortigate **   ip address 10.10.10.1 255.255.255.0     tunnel source FastEthernet1   tunnel destination x.x.x.x   tunnel mode ipsec ipv4   tunnel protection ipsec profile IPSEC    ip route x.x.x.x 255.255.224.0 Tunnel0

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded