Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

design for ipsec to cisco 2911

Hi All,


I understand that route based tunnels are preferred to policy based policies.


Can I use an ipsec interface tunnel to biuld a link to a cisco 2911 and merely disregard the interface IP addresses?


We will create a tunnel to an external party for remote support and maintenance, see attached diagram. It will be the first such external tunnel. We have been provided with vpn configuration information containing only proposal, DH group and lifetime for both phase 1 and 2, as well as policy requirements.

Tunnel traffic will be only between server 1 and server 2.


Within our networks we use FGT <> FGT ipsec-interface tunnels widely for ospf so I'm very familiar with this configuration.


I hope the following will work:

Create phase1-interface and phase2-interface with settings to match the cisco;

Make no changes to the interface itself (ie in config sys int);

Add a static route for Z via X;

Add a static route for b.b.b.b via the tunnel;

Create the required policies.

Profit, or relax.


Is this correct? Any tricks to keep in mind?


Thanks in advance


[edit: typo]


As far as I remember Ciscos require an address at the tunnel's end. No problem to stuff that in in the CLI ('local-gw'). The tricky part is the NAT device - will it NAT in both directions, i.e. can the FGT 'see' the real IP of the Cisco? If not, you will have to use peer IDs for authentication (the public WAN address of the peer is part of the authentication in IKE).

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!

You don't have to use tunnel interface on Cisco side. Dead peer detection wouldn't work well. We always disable it on FG side.


Thanks for your replies.


@ede: Do you mean local-gw = W (interface of FGT), or local-gw = Y (static public IP, and would that work)? For FGT-FGT tunnels we have previously only needed to use local-gw when the interface has secondary-ip enabled, to specify which source IP to use.

We use the above topology for FGT-FGT without any issues, obviously with nat-traversal enabled. The FGT will be able to see the Cisco real IP. Cisco will see the connection from the public IP "Y"


@Toshi: Thanks, we can disable dpd.


Also you might want to set up IP SLA from Cisco side to keep the tunnel up all the time.


This turned out to be relatively straight forward. For completeness, following settings we don't normally use:

config vpn ipsec phase1-interface

    set local-gw W # pretty sure this is not required.


config vpn ipsec phase2-interface

    set keepalive enable

    set auto-negotiate enable

    set src-subnet a.a.a.a/32

    set dst-subnet b.b.b.b/32

endOther settings (interface, static routes, policies) as planned above.

We left dpd enabled after discussing with remote side.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors