Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Fortigate - Cisco router IKEv2 VPN - route-base
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate - Cisco router IKEv2 VPN - route-base
Just FYI in case you might encounter this situation in the future and I didn't find any in the forum.
I've been testing IKEv2 IPSec VPN between FG1500D and Cisco 1941 but couldn't bring it up when 1941 was placed behind a NAT device (means Cisco is the initiator). In addition to NAT-T, the problem comes with Cisco's static-VTI/route-based IPSec (Tunnel0 interface). If I use crypto-map(policy-based) it comes up with FG's route/interface-based IPSec.
Today, I got both Cisco TAC and Fortinet TAC on a call w/ remote access to my PC then we concluded that Cisco sends out all Configuration Payload request options regardless they're relevant to the setup or not, and FG is trying to process them, like IP/DNS requests, although those are relevant only for "dial-up" vpn then drops the request because "mode-cfg" is not enabled (not needed for site-to-site static vpn). Based on the original RFC, the recipient is supposed to be returning an error reply if it's not relevant instead of drop the request.
In addition to crypto map solution above, another work around is to just enable mode-cfg on the FG side to reply to Cisco some info, which would be dropped by Cisco eventually because it's not expecting to receive any return values.
FTNT TAC said he would go back to RFCs and discuss the matter with developers. We tested only with 5.4.8 but I'm assuming 5.6.3 has the same behavior. I'll post update when he gets back to me.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know it's beyond this Forum but at least one person was interested in this situation. So I want to update how my pursuit ended up on Cisco side.
Turned out that Cisco had thought this out much thoroughly and implemented various options how to negotiate IKEv2 with a peer. For my case, it just needed disabling Configuration Request by adding:
no config-exchange reqest
at the end of IKEv2 profile: ikev2prof above. It's enabled by default for both FlexVPN (dialup endpoint) and even static VTI tunnel.
Now it works without "mode-cfg" enabled on the FG side.
26 REPLIES 26
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Toshi,
I´m getting the same problem setting a cisco asa 5515 with FG200D, in IKEv2 bring up the tunnel has been impossible , just in IKEv1 work fine for me but the cisco support Ikev2, could you share please a cisco configuration or template, that work for you in IKEv2 an FG? Thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's in my post before the last. You just need to add "no config-exchange request" to it. But I know ASA config is different. And I don't have much experience with. You might want to ask this at Cisco Community (they dropped "Support" from the community name and split it into multiple sub-communities).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Toshi, very interesting your post on this subject; If it was not too much trouble, would it be possible for you to share the configuration of the FortiGate?
Thanks in advance
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After I posted the Cisco config last year, we discovered a problem. IPsec's DH group & pfs setting is indepedent from IKEv2's DH group. It was dropping the tunnel when lifetime expired then re-establish. So we addeded like below:
crypto ipsec profile ipsecprof set transform-set trans
set pfs group19 <--- added set ikev2-profile ikev2prof
Fortigate side doesn't change much for IKEv2. You just need to declare it's IKEv2. Below is our example:
config vpn ipsec phase1-interface
edit "IKEv2test1"
set interface "wan1"
set ike-version 2
set peertype any
set proposal aes256-sha256
set dpd on-idle
set dhgrp 19
set remote-gw <GW_IP>
set psksecret <ENCRIPTED_PASSWORD>
next
end
config vpn ipsec phase2-interface
edit "IKEv2test1-1"
set phase1name "IKEv2test1"
set proposal aes256-sha256
set keepalive enable
set dhgrp 19
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Toshi, thank you for your fast response.
In my case, the configuration phases work very well; the problem is that even though the VTI tunnel is "up", it would seem to be "closed" and not allow the communication step
The topology that I have is: Fortigate <> Internet <> ADSL ISP Router <> Cisco Router
The intention is to achieve the VPN connection through NAT-T and use OSPF
I see the VPN tunnel above by means of the configuration that you kindly shared, but it does not allow the passage, they do not pass OSPF, and neither through a static route.
Will any configuration command be missing from the VTI interface to allow full connectivity?
Annex the full configuration of Fortigate Side, and the Cisco configuration.
Thanks in advance for your advice and share your knowledge
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate Side:
config system interface edit "VPN-Cisco" set vdom "root" set vrf 0 set distance 5 set dhcp-relay-service disable set ip 172.16.0.25 255.255.255.255 set allowaccess ping set arpforward enable set broadcast-forward disable set bfd global set icmp-send-redirect enable set icmp-accept-redirect enable set ips-sniffer-mode disable set ident-accept disable set ipmac disable set status up set netbios-forward disable set wins-ip 0.0.0.0 set type tunnel set netflow-sampler disable set sflow-sampler disable set scan-botnet-connections disable set src-check enable set sample-rate 2000 set polling-interval 20 set sample-direction both set explicit-web-proxy disable set explicit-ftp-proxy disable set proxy-captive-portal disable set tcp-mss 0 set inbandwidth 0 set outbandwidth 0 set egress-shaping-profile '' set spillover-threshold 0 set ingress-spillover-threshold 0 set weight 0 set external disable set remote-ip 172.16.0.26 255.255.255.255 set description '' set alias '' set l2tp-client disable set security-mode none set captive-portal 0 set fortiheartbeat disable set estimated-upstream-bandwidth 0 set estimated-downstream-bandwidth 0 set role undefined set snmp-index 7 set preserve-session-route disable set auto-auth-extension-device disable set ap-discover enable config ipv6 set ip6-mode static set nd-mode basic set ip6-address ::/0 unset ip6-allowaccess set ip6-reachable-time 0 set ip6-retrans-time 0 set ip6-hop-limit 0 set dhcp6-prefix-delegation disable set dhcp6-information-request disable set ip6-send-adv disable set autoconf disable set dhcp6-relay-service disable end set wccp disable set interface "port4" next end
config vpn ipsec phase1-interface edit "VPN-Cisco" set type dynamic set interface "port4" set ip-version 4 set ike-version 2 set local-gw 0.0.0.0 set keylife 3600 set authmethod psk unset authmethod-remote set peertype any set exchange-interface-ip disable set mode-cfg disable set proposal aes256-sha256 set add-route enable set localid '' set localid-type auto set negotiate-timeout 30 set fragmentation enable set dpd on-idle set forticlient-enforcement disable set comments '' set dhgrp 19 set suite-b disable set eap disable set ppk disable set wizard-type custom set reauth disable set group-authentication disable set idle-timeout disable set ha-sync-esp-seqno enable set auto-discovery-sender disable set auto-discovery-receiver disable set auto-discovery-forwarder disable set nattraversal enable set fragmentation-mtu 1200 set childless-ike disable set rekey enable set enforce-unique-id disable set default-gw 0.0.0.0 set default-gw-priority 0 set net-device disable set tunnel-search selectors set psksecret ENC <PRE SHARED KEY> set keepalive 10 set distance 15 set priority 0 set dpd-retrycount 3 set dpd-retryinterval 60 next end
config vpn ipsec phase2-interface edit "VPN-Cisco-Ph2" set phase1name "VPN-Cisco" set proposal aes256-sha256 set pfs enable set dhgrp 19 set replay disable set keepalive disable set add-route phase1 set auto-discovery-sender phase1 set auto-discovery-forwarder phase1 set keylife-type seconds set single-source disable set route-overlap use-new set encapsulation tunnel-mode set comments '' set protocol 0 set src-addr-type subnet set src-port 0 set dst-addr-type subnet set dst-port 0 set dhcp-ipsec disable set keylifeseconds 3600 set src-subnet 0.0.0.0 0.0.0.0 set dst-subnet 0.0.0.0 0.0.0.0 next end
config firewall policy edit 0 set name '' set srcintf "port1" set dstintf "VPN-Cisco" set srcaddr <LOCAL_LAN> set dstaddr <REMOTE_LAN> set internet-service disable set internet-service-src disable set rtp-nat disable set learning-mode disable set action accept set status enable set schedule "always" set schedule-timeout disable set service "ALL" set dscp-match disable set utm-status disable set logtraffic utm set logtraffic-start disable set capture-packet disable set wanopt disable set webcache disable set session-ttl 0 set vlan-cos-fwd 255 set vlan-cos-rev 255 set wccp disable set fsso disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments '' set label '' set global-label '' set block-notification disable set replacemsg-override-group '' set srcaddr-negate disable set dstaddr-negate disable set service-negate disable set timeout-send-rst disable set captive-portal-exempt disable set ssl-mirror disable set scan-botnet-connections disable set dsri disable set radius-mac-auth-bypass disable set delay-tcp-npu-session disable unset vlan-filter set profile-protocol-options "default" set traffic-shaper '' set traffic-shaper-reverse '' set per-ip-shaper '' set nat disable set match-vip disable next
edit 0 set name '' set srcintf "VPN-Cisco" set dstintf "port1" set srcaddr <REMOTE_LAN> set dstaddr <LOCAL_LAN> set internet-service disable set internet-service-src disable set rtp-nat disable set learning-mode disable set action accept set status enable set schedule "always" set schedule-timeout disable set service "ALL" set dscp-match disable set utm-status disable set logtraffic utm set logtraffic-start disable set capture-packet disable set wanopt disable set webcache disable set session-ttl 0 set vlan-cos-fwd 255 set vlan-cos-rev 255 set wccp disable set fsso disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments '' set label '' set global-label '' set block-notification disable set replacemsg-override-group '' set srcaddr-negate disable set dstaddr-negate disable set service-negate disable set timeout-send-rst disable set captive-portal-exempt disable set ssl-mirror disable set scan-botnet-connections disable set dsri disable set radius-mac-auth-bypass disable set delay-tcp-npu-session disable unset vlan-filter set profile-protocol-options "default" set traffic-shaper '' set traffic-shaper-reverse '' set per-ip-shaper '' set nat disable set match-vip disable next end
config router ospf set abr-type standard set auto-cost-ref-bandwidth 1000 set distance-external 110 set distance-inter-area 110 set distance-intra-area 110 set database-overflow disable set database-overflow-max-lsas 10000 set database-overflow-time-to-recover 300 set default-information-originate disable set default-information-metric 10 set default-information-metric-type 2 set default-information-route-map '' set default-metric 10 set distance 110 set rfc1583-compatible disable set router-id <W.X.Y.Z ROUTER ID> set spf-timers 5 10 set bfd disable set log-neighbour-changes enable set distribute-list-in '' set distribute-route-map-in '' set restart-mode none set restart-period 120 config area edit 0.0.0.0 set shortcut disable set authentication none next end config ospf-interface edit "OSPF-CISCO-NAT-T" set interface "VPN-Cisco" set ip 0.0.0.0 set authentication none set prefix-length 0 set retransmit-interval 5 set transmit-delay 1 set cost 0 set priority 1 set dead-interval 40 set hello-interval 10 set hello-multiplier 0 set database-filter-out disable set mtu 0 set mtu-ignore enable set network-type point-to-point set bfd global set status enable set resync-timeout 40 next end config network edit 1 set prefix 172.16.0.24 255.255.255.252 set area 0.0.0.0 next edit 2 set prefix <LAN_LOCAL> 255.255.255.0 set area 0.0.0.0 next end config redistribute "connected" set status disable set metric 0 set routemap '' set metric-type 2 set tag 0 end config redistribute "static" set status disable set metric 0 set routemap '' set metric-type 2 set tag 0 end config redistribute "rip" set status disable set metric 0 set routemap '' set metric-type 2 set tag 0 end config redistribute "bgp" set status disable set metric 0 set routemap '' set metric-type 2 set tag 0 end config redistribute "isis" set status disable set metric 0 set routemap '' set metric-type 2 set tag 0 end end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CISCO SIDE
crypto ikev2 proposal ikev2prop-1 encryption aes-cbc-256 integrity sha256 group 19 ! crypto ikev2 policy ikev2pol proposal ikev2prop-1 ! crypto ikev2 keyring ikev2keyring peer <CENTRAL-FG> address <PUBLIC IP ADDRESS> pre-shared-key <PRE SHARED KEY> ! ! ! crypto ikev2 profile ikev2prof match identity remote address <PUBLIC IP ADDRESS> 255.255.255.255 identity local address <CISCO IP ADDRESS AT LAN SIDE OF ISP ROUTER> authentication remote pre-share authentication local pre-share keyring local ikev2keyring lifetime 3600 dpd 15 5 periodic nat keepalive 180 no config-exchange request ! crypto ipsec transform-set trans esp-aes 256 esp-sha256-hmac mode tunnel ! crypto ipsec profile ipsecprof set transform-set trans set pfs group19 set ikev2-profile ikev2prof ! interface Tunnel0 ip address 172.16.0.26 255.255.255.252 ip ospf network point-to-point ip ospf mtu-ignore tunnel source <WAN INTERFACE> tunnel mode ipsec ipv4 tunnel destination <PUBLIC IP ADDRESS> tunnel protection ipsec profile ipsecprof ! router ospf 1 router-id <W.X.Y.Z IP REMOTE ROUTER ID> network 172.16.0.24 0.0.0.3 area 0.0.0.0 network <REMOTE LAN> 0.0.0.255 area 0.0.0.0 !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some show commands:
Cisco#sh int tun0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 172.16.0.26/30
Cisco#ping Protocol [ip]: Target IP address: 172.16.0.25 ### Fortigate Side VTI Address ###
Repeat count [5]: 10
Datagram size [100]: 36
Timeout in seconds [2]: 1
Extended commands
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you see in "sh cry ses" on the cisco?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the output:
Cisco#show crypto session Crypto session current status
Interface: Tunnel0 Session status: UP-ACTIVE Peer: <Fortigate Public IP> port 4500 IKEv2 SA: local <Cisco IP Address at LAN side of ISP router>/4500 remote <Fortigate Public IP>/4500 Active IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 2, origin: crypto map
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,858 -
FortiClient
1,794 -
5.2
801 -
FortiManager
753 -
5.4
639 -
FortiAnalyzer
568 -
FortiSwitch
486 -
FortiAP
478 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
325 -
SSL-VPN
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
220 -
FortiWeb
212 -
FortiNAC
197 -
5.0
196 -
FortiGuard
140 -
6.4
128 -
SD-WAN
119 -
FortiAuthenticator
111 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
82 -
Customer Service
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
61 -
Fortivoice
57 -
FortiADC
54 -
FortiEDR
53 -
VLAN
53 -
ZTNA
50 -
Routing
49 -
DNS
48 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
41 -
Authentication
39 -
RADIUS
38 -
SAML
38 -
NAT
37 -
Certificate
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
31 -
FortiLink
30 -
Application control
29 -
FortiWAN
27 -
Web profile
27 -
FortiGate-VM
26 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiPortal
20 -
FortiSwitch v6.2
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
SSID
17 -
OSPF
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1751 | |
| 1114 | |
| 766 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.