Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tank
New Contributor

Fortigate IPSec tunnel with Cisco 2900 Router

Hello Everyone, New post for me. I have recently been tasked to build IPSec tunnels from our production Fortigate 5K' s to Cisco 2900 routers in diverse data centers over MPLS. While I understand the concepts and have built tunnels from Fortigate to Fortigate and Cisco to Cisco, I have not performed this operation between the two. I am also curious if anyone has not only implemented this configuration, but also built GRE tunnels to exchange BGP. Is there is any need, or advantage to utilize a different physical internal port on the Fortigate to terminate these tunnels, or use the existing internal port? Unfortunately this is one of those projects where management has to have it " yesterday" and to save time I wanted to reach out to the group and solicit advice. Thanks, George
3 REPLIES 3
emnoc
Esteemed Contributor III

Yes it' s possible and should be no different than any other cisco router. There' s tons of examples on cisco.com, google or this site that you can follow. Just remember the proxy-ids on the fortigate needs to match exactly the cisco ACL. A selector of 0.0.0.0/0:0 is not going to work. Define your local and remote subnets and please, please, please do this as phase{1-2}-interface and route-mode. Other gotchas to watch out for, on the cisco if your are doing any SNAT, you will need to ensure you NONAT the vpn encryption traffic. So you might have to adjust the NAT access-list to include for local-source to remote-network before your NAT' ing.

PCNSE 

NSE 

StrongSwan  

Tank
New Contributor

Hello emnoc, Thanks for the reply. As you mentioned I was able to locate information on the Fortinet Knowledge Base. I located a section within the FortiOS Handbook, specifically for 4.0 MR3. It is titled " GRE over IPsec (Cisco VPN) configurations" and am using that as a test template. Unfortunately, I am experiencing issues with the Phase 1 negotiations and determined GRE is the cause. From the Fortigate GRE side I am unable to ping the far end GRE tunnel IP on the Cisco. At the moment I am trying to identify the specific " diag" commands to run that will allow me to examine the GRE operation. Once I get that figured out, I can then move to the IPsec process. Feel free to reply with any GRE diag commands. Thanks, George
Phill_Proud
New Contributor

It might be better if you post your (sanitized) configs here for both the FG and 2900 side. I have both interface mode and policy based tunnels between 2911' s and FG' s all over the place, as well as ASAs, Sonicwalls, etc, I' m sure we can point you in the right direction. This is an example of the Cisco side of a route based tunnel, protected by IPSEC. The Fortigate side should be pretty straight forward.
crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
  lifetime 28800
 
 crypto isakmp key yourkeyhere address x.x.x.x
 
 crypto ipsec transform-set TS-IPSEC-FG esp-aes 256 esp-sha-hmac
 
 crypto ipsec profile IPSEC-FG
  set security-association lifetime seconds 28800
  set transform-set TS-IPSEC-FG
 
 
 interface Tunnel0
  description ** to Fortigate **
  ip address 10.10.10.1 255.255.255.0  
  tunnel source FastEthernet1
  tunnel destination x.x.x.x
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile IPSEC
 
 ip route x.x.x.x 255.255.224.0 Tunnel0