It seems that Fortigate can not establish a route-based VPN with CISCO ASA,but may build a tunnel VPNA big negative on that last part. For the original poster, do a search here and you will find numerous route-based vpn samples from FGT-2-cisco For the policy-based vpn ( where you enable this in the policy ) , it' s not reccommended by most practical security consultants and very limited in capabilities i.e you can' t run any routing-protocols over policy-based you can' t perform diagnostic captures over policy-based you can' t scale very well with this concept policy-based over diagnostic is more time consuming and bigger hurdles and challengs exist over policy-based you can' t ....... ( you get the picture, a lot more challengs with policy-based vpns ) As you many notice, route-bases are much better. Also one moe item, you want to do the vpns in a interface type i.e phase1-interface phase2-interface I would download the VPN guide built by fortinet, it' s simple to follow and provides aree the details and examples that you will need. keep these thoughts in mind ; the cisco ASA and it' s tunnel-group will need to be defined. cisco don' t support all authenticatin methods like that of a fortigate ( NO SHA384 ) proxy-id for phase2 settings needs to be defined ( don' t trying the 0.0.0.0/0:0 ) limited your proposals to the one you want ( don' t execute multiple proposals ) be cautious of IKE version ( cisco ASA since 9.X maybe 8.4 code supports Ike version 2 now, but IKEv1 was the defacto and only support IKEv1 on cisco ASA for the majority of time ) Follow myblog on how to trouble shoot a VPN ( route base here ) http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.