Skip to main content
yeowkm99
yeowkm99
New Member
February 17, 2025
Question

IPSec tunnel with Cisco router

  • February 17, 2025
  • 2 replies
  • 789 views

We have a external vendor who request us to setup IPSec tunnel with their Cisco router.

the requirement is us to do NAT with the following static NAT address mapping table.

 

True IP (Our LAN)      NAT IP

10.200.xx.xx               10.229.xx.xx

 

any issues if we use the following to setup the IPsec tunnel ?

IKEv1

Phase 1 (at life time 24 hours) :

Authentication: SHA-256

Encryption: AES-256

Key Exchange operation security: DH-group-16 (4096 bit)

Phase 2 (at life time 1 hour):

AH-Authentication: None

ESP-authentication: SHA-256

ESP-encryption: AES-256

PSF: DH-group-16 (4096 bit)

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
February 17, 2025

Those IPsec parameters that you would configure in FGT's IPsec config are how to encrypt IKE negotiation and user data packets between two parties. Those have to match with the Cisco side configuration to establish the tunnel.


NAT(SNAT) is on the other hand done with a policy on FGT, which wouldn't affect to/be affected by the parameters above. However, the SNAT source IP you choose would affect to the Phase2 network selector configuration on both sides so you need to have agreement with the external vendor as well.
You probably got it from them with the 10.229 NAT outside IPs.

Toshi

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
February 17, 2025

Hi @yeowkm99 ,

 

The settings you are showing have nothing to do with the NAT.  As long as they are the same as the ones on the remote peer,  it's fine.

 

For NAT configuration, please refer to this article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-IPsec-VPN-with-NAT-on-FortiGate-to/ta-p/336029

Terms & ConditionsAccessibility statement