This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
Customer had a question about creating a route-based VPN between a Cisco ASA and a Fortigate. Traditionally, the ASA has been a policy-based VPN which in my case, is extremely outdated. With Route-Based VPNs, you have far more functionality such as dynamic routing. In the case of ASA, it only supports BGP across the VPN whereas Fortigate can do BGP and OSPF.
In this article, I will show the ASA configuration as well as the FortiGate Configuration.
The following code is based on the order it needs to be when initially entering the configs. It will not show up like this when you do the sh run
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac ! crypto ipsec profile FortiProfile set ikev1 transform-set ESP-AES-256-MD5 set pfs group5 set security-association lifetime kilobytes 10000 set security-association lifetime seconds 120 ! interface Tunnel100 nameif route-based ip address 10.225.1.1 255.255.255.252 tunnel source interface outside tunnel destination 12.1.1.6 tunnel mode ipsec ipv4 tunnel protection ipsec profile FortiProfile ! object network SEC1 subnet 10.221.1.0 255.255.255.0 ! object network SEC3 subnet 10.223.1.0 255.255.255.0 ! access-list crypto-to-SEC1 extended permit ip object SEC1 object SEC3 ! nat (inside,outside) source static SEC1 SEC1 destination static SEC3 SEC3 ! route route-based 10.221.1.0 255.255.255.0 10.255.1.2 1 ! crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 ! tunnel-group 12.1.1.6 type ipsec-l2l tunnel-group 12.1.1.6 ipsec-attributes ikev1 pre-shared-key Fortinet
Lets break this down:
The first thing you need to make sure is that your ASA is running the code that support VTI. I believe it is 9.7. I am not sure on the
If you do not already have a Transform-set
created, you will need to create one. I chose a random one I had already in the config. Your mileage may vary.
Next you will need to create the ipsec profile
. This defines the Phase II information for your VPN and will be reference later. You CAN re-use it in another VPN if the values are OK.
Once the ipsec profile
is created, you can create the tunnel interface
. You can use any number from 1 to 100. You will need to name the interface using the standard nameif
command. In my example, I used the name route-based
.
For the IP address, you will give it the IP address of the tunnel interface. That is the IP address that will be used as a point-to-point address between the ASA and the FortiGate.
The tunnel-group
defines the pre-shared key and is based on IP address of the peer.
On the ASA, you will need to define a non-nat
statement. Essentially this says to NAT SEC1
to SEC1
and SEC3
to SEC3
essentially saying that from SEC1 to SEC3 do NOT do NAT.
We will create a custom
VPN configuration
Since this is route-based, Phase II will be all 0
.
Ensure that you have the proper Phase I configuration
On the ASA, we had the Phase I configuration as follows:
crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
Under the Policy & Objects
then Addresses
we will create the corresponding address object for the ASA LAN side (2.2.2.0
) and we will enable the Static Route Configuration
button which will allow us to create a static route that makes sense.
We are going to create a static route. We choose the Named Address
the drop down should show the object we created in the previous step.
Choose the VPN as the Interface.
The Fortigate will create a Tunnel Interface
and by default, it will have an IP of 0.0.0.0/0
Now create the policies. Make sure the reverse rules are in place.
Checking Tunnel Status
On the Cisco, you can do sh crypto isa sa
to see Phase I tunnels up.
To see the Phase II, you can type sh cryp ipse sa peer x.x.x
On the FortiGate
Go to Monitor
then IPsec Monitor
Hope this helps.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.