It seems that Fortigate can not establish a route-based VPN with CISCO ASA,but may build a tunnel VPN

A big negative on that last part. For the original poster, do a search here and you will find numerous route-based vpn samples from FGT-2-cisco For the policy-based vpn ( where you enable this in the policy ) , it' s not reccommended by most practical security consultants and very limited in capabilities i.e you can' t run any routing-protocols over policy-based you can' t perform diagnostic captures over policy-based you can' t scale very well with this concept policy-based over diagnostic is more time consuming and bigger hurdles and challengs exist over policy-based you can' t ....... ( you get the picture, a lot more challengs with policy-based vpns ) As you many notice, route-bases are much better. Also one moe item, you want to do the vpns in a interface type i.e phase1-interface phase2-interface I would download the VPN guide built by fortinet, it' s simple to follow and provides aree the details and examples that you will need. keep these thoughts in mind ; the cisco ASA and it' s tunnel-group will need to be defined. cisco don' t support all authenticatin methods like that of a fortigate ( NO SHA384 ) proxy-id for phase2 settings needs to be defined ( don' t trying the 0.0.0.0/0:0 ) limited your proposals to the one you want ( don' t execute multiple proposals ) be cautious of IKE version ( cisco ASA since 9.X maybe 8.4 code supports Ike version 2 now, but IKEv1 was the defacto and only support IKEv1 on cisco ASA for the majority of time ) Follow myblog on how to trouble shoot a VPN ( route base here ) http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html