- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Cisco ASA <--> Fortigate Psec - Best possible ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco ASA <--> Fortigate Psec - Best possible cryptography?
Hello,
After fiddling with quite a few tunnels between Fortigates and ASAs, I have noticed that the ASAs only seem to accept/propose 3DES/SHA1 themselves for encryption/authentication. Is this due to that people doesn't patch their ASAs, and their firmware is archaic, or is it a setup error or an incompability with Fortigate?
I don't have an ASA in my lab unfortunatly... Will try to get one.
I have seen the same behavior at several customers - You get the IPsec settings from the IT department at the other end, and it contains a string of different encryption/authentication cryptos for you to setup in the Fortigate, but in reality, only 3DES/SHA1 is used, and a diagnose debug application ike -1 tells you that the ASA doesn't respond to, or offer anything else then 3DES/SHA1. Same goes for the phase 2 negotiations.
This hasn't been any issue with any other firewall brand I've setup tunnels to. Like Palo Alto, Watchguard, pfSense, Sophos etc. All of them can at least do AES256/SHA256.
If it's possible to get anything better running between an ASA and a Fortigate, I would love to know about it. IT department at other end usually responds with silence, or tells me Fortigate sucks when I ask why this is the case...
Richie
NSE7
Solved! Go to Solution.
Richie
NSE7
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Richie
kallbrandt wrote:After fiddling with quite a few tunnels between Fortigates and ASAs, I have noticed that the ASAs only seem to accept/propose 3DES/SHA1 themselves for encryption/authentication. Is this due to that people doesn't patch their ASAs, and their firmware is archaic, or is it a setup error or an incompability with Fortigate?
With older ASA(not -X models) Cisco used to charge you for any crypto capability above DES (oh yes they are greedy) and so if you buy a base model (K8 image) then you have to pay for "strong encryption" license or buy a SEC bundle (K9 image) model. Nowadays with X Models 3DES/AES "strong" license it's enabled even on base images and if you have a smartnet account you can obtain a "free" license for older models with K8 images. IIRC for SHA2 or above you should have at least 8.2.x firmware to support those hash algorithms.. Anyway since 3DES it's negotiated you have the SE license enabled, just show ver/show activation to get a confirmation, therefore if the tunnel does not come up at least with AES/SHA1 proposals there is something wrong on the config. Best regards, Antonio
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unless you have some older hardware, export-restricted and|or pre 8.4 code I would say either , it's not cfg correctly or have the right IKEv1 policy and|or transform-sets, or the person doing the work; "just do not known howto"
Here's one of my blog post , that I put together awhile back for ciscoASA --2----FGT
http://socpuppet.blogspot...inet-fortigate-to.html
Clearly in this example we are running AES. This was done on a simple ASA5505 and for that time was probably 8.4 or maybe 9.1.7 code.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Richie
kallbrandt wrote:After fiddling with quite a few tunnels between Fortigates and ASAs, I have noticed that the ASAs only seem to accept/propose 3DES/SHA1 themselves for encryption/authentication. Is this due to that people doesn't patch their ASAs, and their firmware is archaic, or is it a setup error or an incompability with Fortigate?
With older ASA(not -X models) Cisco used to charge you for any crypto capability above DES (oh yes they are greedy) and so if you buy a base model (K8 image) then you have to pay for "strong encryption" license or buy a SEC bundle (K9 image) model. Nowadays with X Models 3DES/AES "strong" license it's enabled even on base images and if you have a smartnet account you can obtain a "free" license for older models with K8 images. IIRC for SHA2 or above you should have at least 8.2.x firmware to support those hash algorithms.. Anyway since 3DES it's negotiated you have the SE license enabled, just show ver/show activation to get a confirmation, therefore if the tunnel does not come up at least with AES/SHA1 proposals there is something wrong on the config. Best regards, Antonio
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this due to that people doesn't patch their ASAs, and their firmware is archaic, or is it a setup error or an incompability with Fortigate?
Not sure what/where you got that from. I have ipsec2 tunnesl sing AES128-256 awith sha1 in 9.2.x code or newier.
I being the latest codes allows sha2 384 ( aka 192bits ) or better and even ECC.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, I got that from me and my collegues own experience - We still haven't seen anything better then 3DES/SHA1 from an ASA, even though other side claims to have configured it. ASA is dead silent to all proposals, and only propose 3DES/SHA1 itself. And we're talking about a lot of ASAs, all handled by different companies. All of them are pretty reluctant to share both their ipsec config and their firmware version, they just tells us the Fortigate on our is broken... We handle something like 30 IPsec tunnels to different ASAs, in different countries. They all behave the same. Makes you wonder, doesn't it...
But It seems I can get ahold of a 5520 actually. It seems to me that the only plausable way forward is to test how it works myself so that we can suggest/demand a setup that we know is functional...
:)
Richie
NSE7
Richie
NSE7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unless you have some older hardware, export-restricted and|or pre 8.4 code I would say either , it's not cfg correctly or have the right IKEv1 policy and|or transform-sets, or the person doing the work; "just do not known howto"
Here's one of my blog post , that I put together awhile back for ciscoASA --2----FGT
http://socpuppet.blogspot...inet-fortigate-to.html
Clearly in this example we are running AES. This was done on a simple ASA5505 and for that time was probably 8.4 or maybe 9.1.7 code.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, I think it's actually all of the above - Old hardware, pre 8.4 code, wrong config, and dorks...
:)
Richie
NSE7
Richie
NSE7
Related Posts
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.