I Need to create VPN tunnel with below mention parameters from (Site A to Site B)
Site A is fully configured need to configured (Site B) on fortinet firewall.
SITE A SITE B
Termination Equipment (type, OS version, etc…) | Cisco |
|
Ike Version | Ike Version 2 |
|
Encryption Algorithm | AES-256 |
|
Integrity (hash) algorithm | SHA-256 |
|
Peer Authentication Method |
| |
IKE Key exchange parameters (Diffie-Hellman group identifier) | DH-Group 14 |
|
IKE-established security association’s lifetime (Phase-1) | 1800 (Sec) |
|
IP address of IPSEC peer | 192.168.7.3 | 192.168.247.122 |
Local IP Addess(s) | Source/Natted/Tunnel IP address will be 10.12.157.98 /32 (Route Base VPN) | |
DPD (Dead Peer Detection) | 20s |
|
Phase II |
|
|
Encryption Algorithm | AES-256 |
|
Integrity (hash) algorithm | SHA-256 |
|
IKE Key exchange parameters (Diffie-Hellman group identifier) | DH-Group 14 |
|
IKE-established security association’s lifetime (Phase-2) | 1800 (Sec) |
|
Services Allowed |
|
|
Perfect Forward Secrecy | PFS |
|
|
|
Solved! Go to Solution.
Phase1:
config vpn ipsec phase1-interface
edit "VPN Test"
set interface "port1"
set keylife 1800
set peertype any
set net-device disable
set proposal aes256-sha256
set dhgrp 14
set remote-gw 192.168.7.3
set psksecret ENC piXvQeygHtsE5kTWpQijutWZS+1X0VfMVFCDOXVYZCIXw+hGvkQ==
next
end
Phase2:
config vpn ipsec phase2-interface
edit "VPN Test"
set phase1name "VPN Test"
set proposal aes256-sha256
set dhgrp 14
set keylifeseconds 1800
set src-subnet x.x.x.x 255.255.255.0 (x.x.x.x is Local Subnet on FortiGate Side)
set dst-subnet y.y.y.y 255.255.255.0 (y.y.y.y is Local Subnet on Cisco Side)
next
end
After this you need to create Required policy and Route Configuration to route traffic via IPSec Tunnel.
Static Route will be to y.y.y.y/mask with interface
config router static
edit 1
set dst y.y.y.y 255.255.255.0
set device "VPN Test"
next
end
Note: Configuration may slightly vary depending on your setup.
Tunnel IP address (10.12.157.98 /32 ) is not mandatory if you are not planning to run Dynamic Routing Protocol over IPSec Tunnel.
I hope this IP 192.168.247.122 is on the Fortigate Firewall interface where IPSec Tunnel terminates.
If the above is still not clear for you, please send me a quick drawing of your intended Setup with IP address & interface details and I can help you with the clarification.
Hello,
And what is the problem? Tunnel not coming up? Phase1? Phase2?
Phase1:
config vpn ipsec phase1-interface
edit "VPN Test"
set interface "port1"
set keylife 1800
set peertype any
set net-device disable
set proposal aes256-sha256
set dhgrp 14
set remote-gw 192.168.7.3
set psksecret ENC piXvQeygHtsE5kTWpQijutWZS+1X0VfMVFCDOXVYZCIXw+hGvkQ==
next
end
Phase2:
config vpn ipsec phase2-interface
edit "VPN Test"
set phase1name "VPN Test"
set proposal aes256-sha256
set dhgrp 14
set keylifeseconds 1800
set src-subnet x.x.x.x 255.255.255.0 (x.x.x.x is Local Subnet on FortiGate Side)
set dst-subnet y.y.y.y 255.255.255.0 (y.y.y.y is Local Subnet on Cisco Side)
next
end
After this you need to create Required policy and Route Configuration to route traffic via IPSec Tunnel.
Static Route will be to y.y.y.y/mask with interface
config router static
edit 1
set dst y.y.y.y 255.255.255.0
set device "VPN Test"
next
end
Note: Configuration may slightly vary depending on your setup.
Created on 05-16-2023 01:17 AM Edited on 05-16-2023 01:17 AM
set src-subnet x.x.x.x 255.255.255.0 (x.x.x.x is Local Subnet on FortiGate Side)
set dst-subnet y.y.y.y 255.255.255.0 (y.y.y.y is Local Subnet on Cisco Side)
i am confuse in
IP address of IPSEC peer | 192.168.247.122
(internal2) Physical Interface 192.168.247.122/255.255.255.252 | |
Local IP Addess(s) | Source/Natted/Tunnel IP address will be 10.12.157.98 /32 (Route Base VPN) |
Tunnel IP address (10.12.157.98 /32 ) is not mandatory if you are not planning to run Dynamic Routing Protocol over IPSec Tunnel.
I hope this IP 192.168.247.122 is on the Fortigate Firewall interface where IPSec Tunnel terminates.
If the above is still not clear for you, please send me a quick drawing of your intended Setup with IP address & interface details and I can help you with the clarification.
Created on 05-16-2023 02:48 AM Edited on 05-16-2023 03:23 AM
@saneeshpv_FTNT
Actually this is bit complicated scenario that's why i bit confuse to (Site A location) has sent mai details of connectivity and Site B (Columns IP address of IPSEC peer & Local IP Addess(s) are provide by Site A)
Based on the scenario the above configuration should suffice to achieve your requirement. Local IP address/Tunnel IP address may not be required if you don't have plans to run Dynamic Routing Protocol like OSPF over IPsec Tunnel.
Please proceed to configure the tunnel and let me know if you face any issue. Make sure you have the Firewall policies and Routing in place to allow traffic through IPsec tunnels
next
node_check_object fail! for interface
Attribute 'interface' MUST be set.
Command fail. Return code 1
Please use the correct interface applicable for your setup which I believe is wan1 and not port1.
Thank
Phase2:
what will be X & Y Ip ?
set src-subnet x.x.x.x 255.255.255.0 (x.x.x.x is Local Subnet on FortiGate Side)
set dst-subnet y.y.y.y 255.255.255.0 (y.y.y.y is Local Subnet on Cisco Side)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1751 | |
1114 | |
766 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.