In this recipe, we will configure a site-to-site IPsec VPN tunnel between a FortiGate 90D and a Cisco ASA 5505.
Using FortiOS 5.2 and Cisco ASDM 7.1, the example demonstrates how to configure the tunnel on each site, assuming that both devices are configured with appropriate internal (inside) and external (outside) interfaces.
Note that this example uses the default encryption and authentication (SA proposal) settings of the Cisco ASDM IPsec VPN wizard. These are not necessarily the recommended settings.
We will use the wizards to configure each end of the tunnel as it is much quicker. However, some customization will be required on the FortiGate to ensure that its SA proposal matches the Cisco ASA for each Phase. One of the most common reasons that tunnels between FortiGates and third-party products don’t work is because of mismatched settings.
1. Configuring the Cisco ASA using the IPsec VPN Wizard |
|||||||||||||||
|
In the Cisco ASDM, under the Wizard menu, select IPsec VPN Wizard. |
 |
||||||||||||||
|
Select Site-to-site, with VPN Tunnel Interface set to outside, and click Next. |
 |
||||||||||||||
|
In the Peer IP Address field, enter the IP address of the FortiGate unit. Under Authentication Method, enter a secure Pre-Shared Key. You will use the same key when configuring the FortiGate. |
 |
||||||||||||||
|
Configure Phase 1 with 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 2. |
 |
||||||||||||||
|
Configure Phase 2 with 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 1. |
 |
||||||||||||||
|
Set the Local Networks and Remote Networks. |
 |
||||||||||||||
|
Review the configuration before you click Finish. |
 |
||||||||||||||
|
If prompted, Send the CLI commands to the device. The tunnel configuration on the Cisco ASA is complete. Next you must configure the FortiGate with identical settings, except for the remote gateway and internal network. |
 |
||||||||||||||
2. Configuring the FortiGate using the IPsec VPN Wizard |
|||||||||||||||
|
On the FortiGate, go to VPN > IPsec > Wizard. Enter a Name for the tunnel and select the Site to Site – Cisco template. |
 |
||||||||||||||
|
Set Remote Gateway to the IP address of the outside interface on the Cisco ASA. The Outgoing Interface should automatically populate. Enter the same Pre-shared Key used in the Cisco ASA configuration. |
 |
||||||||||||||
|
Set Local Interface to the internal interface. The Local Subnets will automatically populate. Set Remote Subnets to the IP address range of the inside network on the Cisco ASA and click Create. |
 |
||||||||||||||
|
The IPsec VPN Wizard automatically creates the required objects, policies, and static routes required for the tunnel to function properly. |
 |
||||||||||||||
3. Matching the encryption and authentication settings |
|||||||||||||||
|
On the FortiGate, go to VPN > IPsec > Tunnels, and Edit the tunnel you just created. Select Convert to Custom Tunnel. |
 |
||||||||||||||
|
Under Phase 1 Proposal, configure 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 2. |
 |
||||||||||||||
|
Under Phase 2 Proposal > Advanced, configure 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 1. When you are certain that the tunnel settings match the Cisco ASA configuration, click OK. |
 |
||||||||||||||
|
|||||||||||||||
4. Results |
|||||||||||||||
| On the FortiGate, go to VPN > Monitor > IPsec Monitor. Right-click on the Site to Site – Cisco VPN and select Bring Up. |  |
||||||||||||||
|
From one of the internal networks, you should be able to successfully ping the other internal network. |
 |
||||||||||||||
|
You will be able to see Incoming and Outgoing Data in the FortiGate IPsec Monitor. |
 |
||||||||||||||
| Go to Log & Report > Event Log > VPN to view the status of the tunnel negotiation. |  |
||||||||||||||
| Highlight an entry to view the status in greater detail. |  |
||||||||||||||
5. Troubleshooting |
|||||||||||||||
|
For complete troubleshooting information, refer to IPsec VPN Troubleshooting. Below are some troubleshooting tips. IPsec VPN troubleshooting tips
|
|||||||||||||||
The post Site-to-Site IPsec VPN Between a FortiGate and a Cisco ASA appeared first on Fortinet Cookbook.