Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff

Created on ‎10-03-2024 11:31 PM Edited on ‎03-07-2025 09:45 AM By Moderator

Article Id 346845

Technical Tip: How to setup IPsec VPN between FortiGate and Cisco Routers

Description

 

This article describes how to set up an IPsec VPN between a FortiGate and a Cisco router.

 

Scope

 

FortiGate.

 

Solution

 

Prerequisites:

  • FortiGate (with basic configuration).
  • Cisco router (with basic configuration).
  • Internet connection on both ends.

 

Network Topology Overview:

Diagram showing the topology: FortiGate and Cisco router on different ends, connected via the internet with specific internal subnets behind them.

 

t.PNG

 

Configuration on HO side (FortiGate):

 

VPN Configuration:

 

config vpn ipsec phase1-interface
    edit "HO_Side"
        set type static
        set remote-gw 192.168.4.1
        set authmethod psk
        set psksecret "salon123"
        set dhgrp 5
        set peertype any
        set proposal aes256-sha1
        set interface wan
        set nattraversal disable
        set keylife 86400
    next
end

 

config vpn ipsec phase2-interface
    edit "HO_Phase2"
        set phase1name "HO_Side"
        set pfs enable
        set dhgrp 5
        set keylife-type seconds
        set keylifeseconds 86400
        set proposal aes256-sha1
        set src-subnet 192.168.1.0/24
        set dst-subnet 192.168.2.0/24
    next

 

Static Route Configuration:

 

config router static

    edit 1

        set dst 192.168.4.1/32

        set gateway 192.168.3.2

        set device "wan"

    next

end

 

Firewall Policy Configuration:

 

config firewall policy

    edit 1

        set name "Outbound to HO_Side"

        set srcintf "LAN" <-------- LAN refers to 192.168.1.0/24 Network.

        set dstintf "HO_Side" <-------- HO_Side is the IPSec tunnel interface.

        set action accept

        set srcaddr "LAN Address"  <-------- Address Object for LAN 192.168.1.0/24.

        set dstaddr "Remote LAN Address" <-------- Address Object for Remote AN 192.168.2.0/24.

        set schedule "always"

        set service "ALL"

    next

end

 

config firewall policy

    edit 2

        set name "Inbound to HO_Side"

        set srcintf "HO_Side" <-------- HO_Side is the IPsec tunnel interface.

        set dstintf "LAN" <-------- LAN refers to 192.168.1.0/24 Network.

        set action accept

        set srcaddr "Remote LAN Address"  <-------- Address Object for Remote AN 192.168.2.0/24.

        set dstaddr "LAN Address" <-------- Address Object for LAN 192.168.1.0/24.

        set schedule "always"

        set service "ALL"

    next

end

 

Note:

 

BranchOffice Router (Cisco):

 

conf t
ip route 192.168.1.0 255.255.255.0 192.168.4.2
ip route 192.168.3.0 255.255.255.0 192.168.4.2
#access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

 

#crypto isakmp policy 1
#encr aes
#authentication pre-share
#group 5
#exit

 

#conf t
#crypto isakmp key salon123 address 192.168.3.1
#exit

 

#conf t
#crypto ipsec transform-set VPN-TS esp-aes 256 esp-sha-hmac
#crypto map VPN-MAP 10 ipsec-isakmp
#set peer 192.168.3.1
#set pfs group5
#set security-association lifetime seconds 86400
#set transform-set VPN-TS
#match address 100

 

#interface GigabitEthernet0/0/0
#ip address 192.168.2.1 255.255.255.0
#no shutdown

 

#interface GigabitEthernet0/0/1(outgoing interface)
#ip address 192.168.4.1 255.255.255.0
#no shutdown

 

#crypto map VPN-MAP

4541
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.