Steps to Configure IKEv1 Site to Site VPN betwwen FortiGate and Cisco ASA in my lab
| Name | IP Address |
|---|---|
| FortiVM – External IP | 30.30.30.254/24 |
| FortiVM – Internal IP | 30.30.8.1/24 |
| ASAv – External IP | 10.10.10.254/24 |
| ASAv – Internal IP | 10.10.8.1/24 |
If you configure the Site to Site VPN by using the Wizard, it will create the IKEv1 tunnel by default. We will change it to IKEv2 with pre-shared-key and Certificate based in later stage
A. VPN Configuration for FortiVM
- Create an object for Local & Remote Subnet
config firewall address
edit DR_LAN
set subnet 10.10.8.0 255.255.255.0
end
edit PROD_LAN
set subnet 30.30.8.0 255.255.255.0
end
- Create an interface for phase1 called VPN_IKEV1.
>Only DES is supported in FortiVM with 14 Days evaluation license
config vpn ipsec phase1-interface
edit "VPN_IKEV1"
set interface "port2"
set peertype any
set proposal des-sha1 des-md5
set dhgrp 5
set remote-gw 10.10.10.254
set psksecret P@ssw0rd
end
- Create an interface for phase2
config vpn ipsec phase2-interface
edit "PROD"
set phase1name "VPN_IKEV1"
set proposal des-sha1 des-md5
set dhgrp 5
set src-addr-type name
set dst-addr-type name
set keylifeseconds 86400
set src-name "PROD_LAN"
set dst-name "DR_LAN"
end
- Create Firewall policies to allow inbound and outbound traffics for VPN
Allow traffic from PROD_LAN (30.30.8.0/24) to DR_LAN (10.10.8.0/24) via VPN Interface
config firewall policy
edit 2
set name "S2S_IKEv1_OUT"
set srcintf "port1"
set dstintf "VPN_IKEV1"
set srcaddr "PROD_LAN"
set dstaddr "DR_LAN"
set action accept
set schedule always
set service ALL
end
Allow traffic from DR_LAN (10.10.8.0/24) to PROD_LAN (30.30.8.0/24) to DR_LAN (10.10.8.0/24) via VPN Interface
config firewall policy
edit 2
set name "S2S_IKEv1_IN"
set srcintf "VPN_IKEV1"
set dstintf "port1"
set srcaddr "DR_LAN"
set dstaddr "PROD_LAN"
set action accept
set schedule always
set service ALL
end
- Configure static route to redirect 10.10.8.0/24 to VPN_IKEV1 interface and to Blackhole when the VPN tunnel is down
config router static
edit 2
set dst 10.10.8.0 255.255.255.0
set distance 1
set device "VPN_IKEV1"
next
edit 3
set dst 10.10.8.0 255.255.255.0
set distance 254
set blackhole enable
next
end
Some useful commands to trobleshoot VPN
get vpn ipsec stats crypto
get vpn ipsec stats tunnel
get vpn ike gateway
get vpn ipsec tunnel summary
diag vpn tunnel list
diag vpn tunnel up / down / flush TUNNEL_NAME
B. VPN Configuration for ASAv
- Create object for Local & Remote Subnet
object network Site-PROD
subnet 10.10.8.0 255.255.255.0
object network Site-FG
subnet 30.30.8.0 255.255.255.0
- Enable IKEv1 on Outside interface
crypto ikev1 enable outside
- Access list for traffic betwwen Site-PROD & Site-FG
access-list NO-NAT-FG extended permit ip object Site-PROD object Site-FG
- NAT Exemption for traffic between Site-PROD & Site-FG
nat (inside,outside) source static Site-PROD Site-PROD destination static Site-FG Site-FG no-proxy-arp route-lookup
- IKEv1 Policy to match the parameter with FortiVM
crypto ikev1 policy 30
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
- Tunnel Group with Pre-Share-Key
tunnel-group 30.30.30.254 type ipsec-l2l
tunnel-group 30.30.30.254 ipsec-attributes
ikev1 pre-shared-key *****
- Define the Transform Set called ikev1-set
crypto ipsec ikev1 transform-set ikev1-set esp-des esp-sha-hmac
- Map the IKEv1_map with parameter defined on Outside interface
crypto map IKEv1_map 1 match address NO-NAT-FG
crypto map IKEv1_map 1 set pfs group5
crypto map IKEv1_map 1 set peer 30.30.30.254
crypto map IKEv1_map 1 set ikev1 transform-set ikev1-set
crypto map IKEv1_map interface outside
Reference link for ASAv
1. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html#anc7
Some useful commands to troubleshoot VPN
#Redirect Debugging message to SSH console
logging monitor debugging
terminal monitor
no debug all
show crypto ikev1 sa
show crypto ipsec sa
C. Verification on Site to Site VPN Tunnel
Verify that the Site to Site VPN Tunnel is up on ASAv
ASAv# show crypto ikev1 sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 30.30.30.254
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Verify that the Site to Site VPN Tunnel is up on FortiVM
FortiGate-VM64 # diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN_IKEV1 ver=1 serial=1 30.30.30.254:0->10.10.10.254:0
bound_if=4 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=/0
stat: rxp=3977 txp=3940 rxb=536528 txb=426156
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN_IKEV1 proto=0 sa=1 ref=2 serial=1
src: 0:30.30.8.0/255.255.255.0:0
dst: 0:10.10.8.0/255.255.255.0:0
SA: ref=5 options=10226 type=00 soft=0 mtu=1446 expire=24704/0B replaywin=2048
seqno=f65 esn=0 replaywin_lastseq=00000f89 itn=0
life: type=01 bytes=0/0 timeout=28528/28800
dec: spi=c145620f esp=des key=8 86c58888bf37eb2a
ah=sha1 key=20 3e7faa1ef633f7f20f6bf4a84fb9264bc2c6b207
enc: spi=1ac48569 esp=des key=8 88fbc9fa272e4a8a
ah=sha1 key=20 07544fb7e3759c1ca888bd6c0769f634c834db9a
dec:pkts/bytes=3977/329724, enc:pkts/bytes=3940/645256
ubuntu server (10.10.8.10) can ping to WIN10 PC (30.30.8.10) successfully
WIN10 PC (30.30.8.10) can ping to ubuntu server (10.10.8.10) successfully
