IPsec Site-to-Site VPN FortiGate <-> Cisco ASA

Following is a step-by-step tutorial for a site-to-site VPN between a Fortinet FortiGate and a Cisco ASA firewall. I am showing the screenshots of the GUIs in order to configure the VPN, as well as some CLI show commands.

Since the Cisco ASA only supports policy-based VPNs, the proxy-IDs (phase 2 selectors) must be used on the FortiGate, too. Furthermore, the ASA only supports Diffie-Hellman group 5 (and not 14), as well as SHA-1 (and not SHA-256) for IKEv1.

I am running a FortiWiFi 90D (v5.2.2) and a Cisco ASA 5505 (9.2(3)) in my lab.

Lab

This is the lab for the tutorial:
S2S VPN FortiGate - Cisco ASA Laboratory

FortiGate

Here are the screenshots from the Forti GUI. Refer to the descriptions for more details:

The new Custom VPN Tunnel with the IP address of the other side, as well as the own Interface.

Phase 1 Proposal: Since the ASA does not support higher algorithms for IKEv1, these are only AES256, SHA1, and DH5.

The Phase 2 Selectores (Proxy IDs) must be set according to the tunneled networks. This is due to the policy-based VPN on the ASA.

The new tunnel interface should be placed in an extra zone, e.g., vpn-s2s.

Finally, the static route through the tunnel.

Cisco ASA

Similar for the ASA:

(If not already present): An IKE Policy with aes-256, dh-5, sha-1, and 28800 seconds.

A new group policy with IPsec IKEv1 enabled.

The Connection Profile: IP address of the FortiGate, protected networks (proxy IDs), the Group Policy, PSK, and the IPsec Proposal.

Enabled Perfect Forward Secrecy with DH-5 and a lifetime of 8 hours.

Just for reference: the tunnel group.

The so created Crypto Map looks like this. (1)

The so created Crypto Map looks like this. (2)

The so created Crypto Map looks like this. (3)

Monitoring

Both firewalls can be monitored via the GUI:

The Session Details from the VPN Statistics on the ASA.

Or via some CLI commands. FortiGate:

fd-wv-fw04 # get vpn ike gateway fd-wv-fw03

vd: root/0

version: 1

interface: wan1 6

addr: 172.16.1.6:500 -> 172.16.1.3:500

created: 21574s ago

IKE SA created: 1/1 established: 1/1 time: 210/210/210 ms

IPsec SA created: 1/8 established: 1/8 time: 120/133/190 ms

id/spi: 20345 e919d31b2152aa69/3c4f946f1067a8a0

direction: initiator

status: established 21574-21574s ago = 210ms

proposal: aes-256-sha1

key: 700a865e7d5dac74-38265025aadbea84-4e6578f76e8a94c0-55010a6860ca55d6

lifetime/rekey: 28800/6925

DPD sent/recv: 000ec23b/00000000

fd-wv-fw04 #

fd-wv-fw04 # get vpn ipsec tunnel name fd-wv-fw03

gateway

type: route-based

local-gateway: 172.16.1.6:0 (static)

remote-gateway: 172.16.1.3:0 (static)

mode: ike-v1

interface: 'wan1' (6)

rx packets: 23438 bytes: 3672312 errors: 0

tx packets: 42395 bytes: 4131302 errors: 2

dpd: enabled/negotiated idle: 5000ms retry: 3 count: 0

selectors

auto-negotiate: disable

mode: tunnel

src: 0:192.168.161.0/255.255.255.0:0

dst: 0:192.168.131.0/255.255.255.0:0

lifetime/rekey: 3600/3411

mtu: 1438

tx-esp-seq: 100

replay: enabled

inbound

spi: c97b0f02

enc: aes 2ab3758cc346a6fc0390c3c445ab0d5023946e0de74004980b9848c6ad1022b4

auth: sha1 877bd440e77d72b21bd39b6bfbd1c5f9aba81e72

outbound

spi: b48f2846

enc: aes 537cf0f0d75c887efa35057a668126fbeab8874b8127a060802bd27e85d43dfb

auth: sha1 9099b7a9edfa18b6882fb15594356e26d5712361

NPU acceleration: encryption(outbound) decryption(inbound)

fd-wv-fw04 #

fd-wv-fw04 # get router info routing-table static

S* 0.0.0.0/0 [10/0] via 172.16.1.1, wan1

S 192.168.111.0/24 [10/0] is directly connected, fd-wv-fw01

S 192.168.121.0/24 [10/0] is directly connected, fd-wv-fw02

S 192.168.131.0/24 [10/0] is directly connected, fd-wv-fw03

S 192.168.151.0/24 [10/0] is directly connected, fd-wv-ro03

Cisco ASA:

fd-wv-fw03# show crypto ikev1 sa detail

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 172.16.1.6

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

Encrypt : aes-256 Hash : SHA

Auth : preshared Lifetime: 28800

Lifetime Remaining: 7274

fd-wv-fw03#

fd-wv-fw03# show crypto ipsec sa peer 172.16.1.6 detail

peer address: 172.16.1.6

Crypto map tag: outside_map, seq num: 4, local addr: 172.16.1.3

access-list outside_cryptomap_3 extended permit ip 192.168.131.0 255.255.255.0 192.168.161.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.131.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.161.0/255.255.255.0/0/0)

current_peer: 172.16.1.6

#pkts encaps: 24140, #pkts encrypt: 24140, #pkts digest: 24140

#pkts decaps: 42925, #pkts decrypt: 42925, #pkts verify: 42925

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 24140, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#pkts no sa (send): 0, #pkts invalid sa (rcv): 0

#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

#pkts invalid prot (rcv): 0, #pkts verify failed: 0

#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

#pkts invalid pad (rcv): 0,

#pkts invalid ip version (rcv): 0,

#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

#pkts replay failed (rcv): 8

#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0

#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 172.16.1.3/0, remote crypto endpt.: 172.16.1.6/0

path mtu 1500, ipsec overhead 74(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: C97B0F02

current inbound spi : B48F2846

inbound esp sas:

spi: 0xB48F2846 (3029280838)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }

slot: 0, conn_id: 4096, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914981/3485)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0xC97B0F02 (3380285186)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }

slot: 0, conn_id: 4096, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914990/3484)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

And one more time, note that the ASA only implements policy-based VPNs. That is, the route in the routing table is NOT correct!! In my lab, the remote network behind the FortiGate (192.168.161.0/24) is also propagated via OSPF, while traffic passing to that network leaves via the VPN tunnel and not via this misleading routing entry:

fd-wv-fw03# show route 192.168.161.0

Routing entry for 192.168.161.0 255.255.255.0

Known via "ospf 1", distance 110, metric 110, type intra area

Last update from 172.16.1.6 on outside, 5:22:43 ago

Routing Descriptor Blocks:

* 172.16.1.6, from 172.16.1.6, 5:22:43 ago, via outside

Route metric is 110, traffic share count is 1

CLI Commands for Troubleshooting FortiGate Firewalls

CLI Commands for Troubleshooting FortiGate Firewalls 2015-12-21 Fortinet , Memorandum , Network Cheat Sheet , CLI , FortiGate , Fortinet , Quick Reference , SCP , Troubleshooting Johannes Weber This blog post is a list of common troubleshooting commands I am using on the FortiGate CLI . It is not complete nor very detailled, but provides the basic commands for troubleshooting network related issues that are not resolvable via the GUI. I am not focused on too many memory, process, kernel, etc. details. These must only be used if there are really specific problems. I am more focused on the general troubleshooting stuff. I am using it personally as a cheat sheet / quick reference and will update it from time to time. Coming from Cisco, everything is “show”. With Fortinet you have the choice confusion between show | get | diagnose | execute . Not that easy to remember. It is “ get router info6 routing-table” to show the routing table but “ diagn...

Secure IT

Search This Blog