IPSec tunnel with Cisco router

yeowkm99 · ‎02-17-2025

We have a external vendor who request us to setup IPSec tunnel with their Cisco router.

the requirement is us to do NAT with the following static NAT address mapping table.

True IP (Our LAN) NAT IP

10.200.xx.xx 10.229.xx.xx

any issues if we use the following to setup the IPsec tunnel ?

IKEv1

Phase 1 (at life time 24 hours) :

Authentication: SHA-256

Encryption: AES-256

Key Exchange operation security: DH-group-16 (4096 bit)

Phase 2 (at life time 1 hour):

AH-Authentication: None

ESP-authentication: SHA-256

ESP-encryption: AES-256

PSF: DH-group-16 (4096 bit)

Toshi_Esumi · ‎02-17-2025

Those IPsec parameters that you would configure in FGT's IPsec config are how to encrypt IKE negotiation and user data packets between two parties. Those have to match with the Cisco side configuration to establish the tunnel.

NAT(SNAT) is on the other hand done with a policy on FGT, which wouldn't affect to/be affected by the parameters above. However, the SNAT source IP you choose would affect to the Phase2 network selector configuration on both sides so you need to have agreement with the external vendor as well.
You probably got it from them with the 10.229 NAT outside IPs.

Toshi

dingjerry_FTNT · ‎02-17-2025

Hi @yeowkm99 ,

The settings you are showing have nothing to do with the NAT. As long as they are the same as the ones on the remote peer, it's fine.

For NAT configuration, please refer to this article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-IPsec-VPN-with-NAT-on-FortiGat...

Regards,

Jerry

IPSec tunnel with Cisco router

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website