IPsec Site-to-Site VPN FortiGate <-> Cisco ASA

Following is a step-by-step tutorial for a site-to-site VPN between a Fortinet FortiGate and a Cisco ASA firewall. I am showing the screenshots of the GUIs in order to configure the VPN, as well as some CLI show commands.

Since the Cisco ASA only supports policy-based VPNs, the proxy-IDs (phase 2 selectors) must be used on the FortiGate, too. Furthermore, the ASA only supports Diffie-Hellman group 5 (and not 14), as well as SHA-1 (and not SHA-256) for IKEv1.

I am running a FortiWiFi 90D (v5.2.2) and a Cisco ASA 5505 (9.2(3)) in my lab.

Lab

This is the lab for the tutorial:

FortiGate

Here are the screenshots from the Forti GUI. Refer to the descriptions for more details:

The new Custom VPN Tunnel with the IP address of the other side, as well as the own Interface.

PSK with IKEv1 in Main Mode.

Phase 1 Proposal: Since the ASA does not support higher algorithms for IKEv1, these are only AES256, SHA1, and DH5.

The Phase 2 Selectores (Proxy IDs) must be set according to the tunneled networks. This is due to the policy-based VPN on the ASA.

The new tunnel interface should be placed in an extra zone, e.g., vpn-s2s.

Finally, the static route through the tunnel.

Cisco ASA

Similar for the ASA:

(If not already present): An IKE Policy with aes-256, dh-5, sha-1, and 28800 seconds.

A new group policy with IPsec IKEv1 enabled.

The Connection Profile: IP address of the FortiGate, protected networks (proxy IDs), the Group Policy, PSK, and the IPsec Proposal.

Enabled Perfect Forward Secrecy with DH-5 and a lifetime of 8 hours.

Just for reference: the tunnel group.

The so created Crypto Map looks like this. (1)

The so created Crypto Map looks like this. (2)

The so created Crypto Map looks like this. (3)

Monitoring

Both firewalls can be monitored via the GUI:

The IPsec Monitor on the FortiGate.

The Session Details from the VPN Statistics on the ASA.

Or via some CLI commands. FortiGate:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62

fd-wv-fw04 # get vpn ike gateway fd-wv-fw03   vd: root/0 name: fd-wv-fw03 version: 1 interface: wan1 6 addr: 172.16.1.6:500 -> 172.16.1.3:500 created: 21574s ago IKE SA  created: 1/1  established: 1/1  time: 210/210/210 ms IPsec SA  created: 1/8  established: 1/8  time: 120/133/190 ms     id/spi: 20345 e919d31b2152aa69/3c4f946f1067a8a0   direction: initiator   status: established 21574-21574s ago = 210ms   proposal: aes-256-sha1   key: 700a865e7d5dac74-38265025aadbea84-4e6578f76e8a94c0-55010a6860ca55d6   lifetime/rekey: 28800/6925   DPD sent/recv: 000ec23b/00000000   fd-wv-fw04 # fd-wv-fw04 # fd-wv-fw04 # get vpn ipsec tunnel name fd-wv-fw03   gateway   name: 'fd-wv-fw03'   type: route-based   local-gateway: 172.16.1.6:0 (static)   remote-gateway: 172.16.1.3:0 (static)   mode: ike-v1   interface: 'wan1' (6)   rx  packets: 23438  bytes: 3672312  errors: 0   tx  packets: 42395  bytes: 4131302  errors: 2   dpd: enabled/negotiated  idle: 5000ms  retry: 3  count: 0   selectors     name: 'johndoe'     auto-negotiate: disable     mode: tunnel     src: 0:192.168.161.0/255.255.255.0:0     dst: 0:192.168.131.0/255.255.255.0:0     SA       lifetime/rekey: 3600/3411       mtu: 1438       tx-esp-seq: 100       replay: enabled       inbound         spi: c97b0f02         enc:     aes  2ab3758cc346a6fc0390c3c445ab0d5023946e0de74004980b9848c6ad1022b4         auth:   sha1  877bd440e77d72b21bd39b6bfbd1c5f9aba81e72       outbound         spi: b48f2846         enc:     aes  537cf0f0d75c887efa35057a668126fbeab8874b8127a060802bd27e85d43dfb         auth:   sha1  9099b7a9edfa18b6882fb15594356e26d5712361       NPU acceleration: encryption(outbound) decryption(inbound)   fd-wv-fw04 # fd-wv-fw04 # fd-wv-fw04 # get router info routing-table static S*      0.0.0.0/0 [10/0] via 172.16.1.1, wan1 S       192.168.111.0/24 [10/0] is directly connected, fd-wv-fw01 S       192.168.121.0/24 [10/0] is directly connected, fd-wv-fw02 S       192.168.131.0/24 [10/0] is directly connected, fd-wv-fw03 S       192.168.151.0/24 [10/0] is directly connected, fd-wv-ro03

Cisco ASA:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72

fd-wv-fw03# show crypto ikev1 sa detail   IKEv1 SAs:      Active SA: 1     Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1   1   IKE Peer: 172.16.1.6     Type    : L2L             Role    : responder     Rekey   : no              State   : MM_ACTIVE     Encrypt : aes-256         Hash    : SHA     Auth    : preshared       Lifetime: 28800     Lifetime Remaining: 7274 fd-wv-fw03# fd-wv-fw03# fd-wv-fw03# show crypto ipsec sa peer 172.16.1.6 detail peer address: 172.16.1.6     Crypto map tag: outside_map, seq num: 4, local addr: 172.16.1.3         access-list outside_cryptomap_3 extended permit ip 192.168.131.0 255.255.255.0 192.168.161.0 255.255.255.0       local ident (addr/mask/prot/port): (192.168.131.0/255.255.255.0/0/0)       remote ident (addr/mask/prot/port): (192.168.161.0/255.255.255.0/0/0)       current_peer: 172.16.1.6           #pkts encaps: 24140, #pkts encrypt: 24140, #pkts digest: 24140       #pkts decaps: 42925, #pkts decrypt: 42925, #pkts verify: 42925       #pkts compressed: 0, #pkts decompressed: 0       #pkts not compressed: 24140, #pkts comp failed: 0, #pkts decomp failed: 0       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0       #TFC rcvd: 0, #TFC sent: 0       #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0       #pkts no sa (send): 0, #pkts invalid sa (rcv): 0       #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0       #pkts invalid prot (rcv): 0, #pkts verify failed: 0       #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0       #pkts invalid pad (rcv): 0,       #pkts invalid ip version (rcv): 0,       #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0       #pkts replay failed (rcv): 8       #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0       #pkts internal err (send): 0, #pkts internal err (rcv): 0         local crypto endpt.: 172.16.1.3/0, remote crypto endpt.: 172.16.1.6/0       path mtu 1500, ipsec overhead 74(44), media mtu 1500       PMTU time remaining (sec): 0, DF policy: copy-df       ICMP error validation: disabled, TFC packets: disabled       current outbound spi: C97B0F02       current inbound spi : B48F2846       inbound esp sas:       spi: 0xB48F2846 (3029280838)          transform: esp-aes-256 esp-sha-hmac no compression          in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }          slot: 0, conn_id: 4096, crypto-map: outside_map          sa timing: remaining key lifetime (kB/sec): (3914981/3485)          IV size: 16 bytes          replay detection support: Y          Anti replay bitmap:           0xFFFFFFFF 0xFFFFFFFF     outbound esp sas:       spi: 0xC97B0F02 (3380285186)          transform: esp-aes-256 esp-sha-hmac no compression          in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }          slot: 0, conn_id: 4096, crypto-map: outside_map          sa timing: remaining key lifetime (kB/sec): (3914990/3484)          IV size: 16 bytes          replay detection support: Y          Anti replay bitmap:           0x00000000 0x00000001

And one more time, note that the ASA only implements policy-based VPNs. That is, the route in the routing table is NOT correct!! In my lab, the remote network behind the FortiGate (192.168.161.0/24) is also propagated via OSPF, while traffic passing to that network leaves via the VPN tunnel and not via this misleading routing entry:

1 2 3 4 5 6 7 8

fd-wv-fw03# show route 192.168.161.0   Routing entry for 192.168.161.0 255.255.255.0   Known via "ospf 1", distance 110, metric 110, type intra area   Last update from 172.16.1.6 on outside, 5:22:43 ago   Routing Descriptor Blocks:   * 172.16.1.6, from 172.16.1.6, 5:22:43 ago, via outside       Route metric is 110, traffic share count is 1