Firewall address object configuration for local and remote networks:

 

config firewall address

    edit "local-network"

        set subnet 192.168.10.0 255.255.255.0

    next

    edit "remote-network"

        set subnet 192.168.20.0 255.255.255.0

    next

end

 

Firewall policy configuration:

 

config firewall policy

    edit 1

        set name "FG_to_ASA"

        set srcintf "port2"

        set dstintf "FG_to_ASA"

        set action accept

        set srcaddr "local-network"

        set dstaddr "remote-network"

        set schedule "always"

        set service "ALL"

    next

    edit 2

        set name "ASA_to_FG"

        set srcintf "FG_to_ASA"

        set dstintf "port2"

        set action accept

        set srcaddr "remote-network"

        set dstaddr "local-network"

        set schedule "always"

        set service "ALL"

    next

end

 

Configuration on Cisco ASA.

 

Interface configuration:

 

interface eth 0

    ip address 200.2.2.1 255.255.255.252

    nameif outside

    security-level 0

    no shutdown

    exit

interface eth 1

    ip address 192.168.20.1 255.255.255.0

    nameif inside

    security-level 100

    no shutdown

    exit

 

Default route configuration:

 

route outside 0.0.0.0 0.0.0.0 200.2.2.2 1

 

NAT from local to Public Network configuration:

 

object network inside

    subnet 192.168.20.0 255.255.255.0

    nat (inside,outside) dynamic interface

    exit

 

Network object group configuration for local and remote networks:

 

object-group network local-network

    network-object 192.168.20.0 255.255.255.0

    exit

object-group network remote-network

    network-object 192.168.10.0 255.255.255.0

    exit

 

ACL to exempt VPN traffic in NAT configuration:

 

access-list s2svpn extended permit ip object-group local-network object-group remote-network

 

NAT exempt configuration:

 

nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup

 

IKEv1 policy configuration:

 

crypto ikev1 policy 10

    authentication pre-share

    encryption aes

    hash sha

    group 5

    lifetime 86400

    exit

 

Enable IKEv1 on outside interface configuration:

 

crypto ikev1 enable outside

 

Tunnel group configuration:

 

tunnel-group 200.1.1.1 type ipsec-l2l

tunnel-group 200.1.1.1 ipsec-attributes

    ikev1 pre-shared-key fortinet

 

IKEv1 Transform set configuration:

 

crypto ipsec ikev1 transform-set transform esp-aes esp-sha-hmac

 

Crypto map configuration:

 

crypto map cryptomap 10 match address s2svpn

crypto map cryptomap 10 set peer 200.1.1.1

crypto map cryptomap 10 set ikev1 transform-set transform

 

Apply crypto map on interface configuration:

 

crypto map cryptomap interface outside

 

 

Verification:

 

FortiGate Phase 1:

 

FortiGate # diagnose vpn ike gateway

 

vd: root/0

name: FG_to_ASA

version: 1

interface: port1 3

addr: 200.1.1.1:500 -> 200.2.2.1:500

tun_id: 200.2.2.1/::200.2.2.1

remote_location: 0.0.0.0

network-id: 0

created: 606s ago

peer-id: 200.2.2.1

peer-id-auth: no

IKE SA: created 1/1  established 1/1  time 10390/10390/10390 ms

IPsec SA: created 1/1  established 1/1  time 10790/10790/10790 ms

 

  id/spi: 35 c20d13dc1ebd6fbb/e6396cd9d4862984

  direction: initiator

  status: established 606-595s ago = 10390ms

  proposal: aes128-sha1

  key: ffdc6480b6badb0a-b4d3be2d16f834d2

  lifetime/rekey: 86400/85504

  DPD sent/recv: 00000000/71ef4085

  peer-id: 200.2.2.1

 

 

FortiGate Phase 2:

 

FortiGate # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=FG_to_ASA ver=1 serial=1 200.1.1.1:0->200.2.2.1:0 tun_id=200.2.2.1 tun_id6=::200.2.2.1 dst_mtu=1500 dpd-link=on weight=1

bound_if=3 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

 

proxyid_num=1 child_num=0 refcnt=4 ilast=6 olast=6 ad=/0

stat: rxp=5 txp=5 rxb=420 txb=420

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

fec: egress=0 ingress=0

proxyid=FG_to_ASA proto=0 sa=1 ref=7 serial=1 auto-negotiate

  src: 0:192.168.10.0-192.168.10.255:0

  dst: 0:192.168.20.0-192.168.20.255:0

  SA:  ref=3 options=38003 type=00 soft=0 mtu=1438 expire=27758/0B replaywin=2048

       seqno=6 esn=0 replaywin_lastseq=00000005 qat=0 rekey=0 hash_search_len=1

  life: type=01 bytes=0/0 timeout=28499/28800

  dec: spi=c77b6086 esp=aes key=16 89bcd651ca19a6a96f8d435c216c0877

       ah=sha1 key=20 190747ce1c4e660bf06cd1a518ac2178beb6ad19

  enc: spi=2c8f685c esp=aes key=16 492893917e3ca548627ab4c3b90812a6

       ah=sha1 key=20 34f17abc42e466a2315504c0b5d4be933fed846a

  dec:pkts/bytes=10/840, enc:pkts/bytes=10/1180

  npu_flag=00 npu_rgwy=200.2.2.1 npu_lgwy=200.1.1.1 npu_selid=0 dec_npuid=0 enc_npuid=0

run_tally=0

 

Cisco ASA Phase 1: 

 

ciscoasa# show crypto isakmp sa

 

IKEv1 SAs:

 

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

 

1   IKE Peer: 200.1.1.1

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

 

There are no IKEv2 SAs

 

 

Cisco ASA Phase 2:

 

ciscoasa# show crypto ipsec sa

interface: outside

    Crypto map tag: cryptomap, seq num: 10, local addr: 200.2.2.1

 

      access-list s2svpn extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

      current_peer: 200.1.1.1

 

      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

 

      local crypto endpt.: 200.2.2.1/0, remote crypto endpt.: 200.1.1.1/0

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: C77B6086

      current inbound spi : 2C8F685C

 

    inbound esp sas:

      spi: 0x2C8F685C (747595868)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 4096, crypto-map: cryptomap

         sa timing: remaining key lifetime (sec): 28348

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x0000007D

    outbound esp sas:

      spi: 0xC77B6086 (3346751622)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 4096, crypto-map: cryptomap

         sa timing: remaining key lifetime (sec): 28348

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Note:

When configuring an IPsec tunnel between FortiGate and a third-party device (like Cisco), it is suggested to configure separate Phase2 per each subnet pair rather than configuring multiple subnets on one phase2 only:

IPSec VPN between a FortiGate and a Cisco ASA with multiple subnets 

 

 

Related documents:

config vpn ipsec phase1

config vpn ipsec phase 2