IPSec IKEv2 VPN between FortiGate and Cisco ASA

Tutorial on how to configure IPSec IKEv2 VPN Between FortiGate And Cisco ASA in my lab

  1. IKEv2 which only use 4 messages to establish secure peer use less bandwidth than IKE (Main Mode use 9 messages)
  2. IKEv2 is more secure and stable with lot of features, like NAT-T, EAP for Remote Access than IKEv1

Refer to the Difference Between IKEv1 and IKEv2

We are going to change the IKEv1 to IKEv2 for IPSec VPN Between FortiGate And Cisco ASA

Configure IKEv2 in FortiGate

Change IKEv1 to IKEv2 and DH Group 2 to 19 in Phase 1

  • set ike-version 2
  • set dhgrp 19
config vpn ipsec phase1-interface
    edit "VPN-ToAIMS"
        set interface "wan1"
        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set dhgrp 19
        set remote-gw
        set psksecret ENC XPryuuwZQ8xgqWsuNQUNU8xLSUGvMyDI+At0qEdA9xihMzSOQODE8R4LBT2jbO1Umxj6j1ihlcgpBLLSCEjCgFoGCMak6mpiTLthkgvb1+BgniQpCakAH7IclI8K/1M4fqLhCN7zPVrQQWVgG9KfhX8imLf5npihvU24a95qdyrHqNatMXhPrWZz2hV0r2Fr2p4bwQ==

Change DH Group 2 to 19 in Phase 2

config vpn ipsec phase2-interface
    edit "VPN-ToAIMS-P2"
        set phase1name "VPN-ToAIMS"
        set proposal aes256-sha1
        set dhgrp 19
        set src-addr-type name
        set dst-addr-type name
        set src-name "LAN-"
        set dst-name "REMOTE-"

Configure IKEv2 in Cisco ASA Firewall

Enable IKEv2 on Outside Interface

ASAv(config)# crypto ikev2 enable outside

Configure Pre-Share-Key for IKEv2 in existing Tunnel Group

ASAv(config)# tunnel-group ipsec-attributes
ASAv(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key [email protected]
ASAv(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key [email protected]

Enable IKEv2 in existing Group Policy

ASAv(config)# group-policy GroupPolicy_121.121.43.50 attributes
ASAv(config-group-policy)# vpn-tunnel-protocol ikev1 

Change the existing IKEv2 Policy to use DH Group 19 and SHA256 for Integrity Hash & PRF

ASAv(config)# crypto ikev2 policy 1
ASAv(config-ikev2-policy)# group 19
ASAv(config-ikev2-policy)# integrity sha256
ASAv(config-ikev2-policy)# encryption aes-256
ASAv(config-ikev2-policy)# prf sha256

Remove the existing Crypto Map for IKEv1

ASAv(config)# no crypto map outside_map 1 match address outside_cryptomap
ASAv(config)# no crypto map outside_map 1 set pfs
ASAv(config)# no crypto map outside_map 1 set peer
ASAv(config)# no crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
ASAv(config)# no crypto map outside_map interface outside

Add the following Crypto Map for IKEv2

ASAv(config)# crypto map ikev2-map 1 match address outside_cryptomap
ASAv(config)# crypto map ikev2-map 1 set pfs group19
ASAv(config)# crypto map ikev2-map 1 set peer
ASAv(config)# crypto map ikev2-map 1 set ikev2 ipsec-proposal AES256
ASAv(config)# crypto map ikev2-map interface outside

Verify IKEv2 VPN Between FortiGate and Cisco ASA

Verify the tunnel is up and running in Cisco ASA

ASAv# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:5, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
1470879453                                                                READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/209 sec
Child sa: local selector -
          remote selector -
          ESP spi in/out: 0x25fd3f79/0xf6f3628c

Verify tunnel is up and running in FortiGate

FG60 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
name=VPN-ToAIMS ver=2 serial=4> dst_mtu=1500
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc  run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=16 ilast=18 olast=58 ad=/0
stat: rxp=641 txp=1034 rxb=147520 txb=16954
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=60
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN-ToAIMS-P2 proto=0 sa=1 ref=7 serial=2
  src: 0:
  dst: 0:
  SA:  ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42664/0B replaywin=1024
       seqno=400 esn=0 replaywin_lastseq=00000280 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42933/43200
  dec: spi=f6f3628c esp=aes key=32 7c76e6de2cebedfb1244d2526a05bed927ebd7f0332c2fb61021ecf1ce916770
       ah=sha1 key=20 8d63384ad77c5f2bf10c3580d97fc86937240f18
  enc: spi=25fd3f79 esp=aes key=32 94dc00d8d19f3a24374eace4f6699de2aca6bba3878f433aadaa9034473d013b
       ah=sha1 key=20 90b3319aa35c7fe7bb37c8c8de968e0dcdd2c66c
  dec:pkts/bytes=641/147460, enc:pkts/bytes=1034/17554
  npu_flag=03 npu_rgwy= npu_lgwy= npu_selid=4 dec_npuid=1 enc_npuid=1

Verify workstations at both sites can ping to each other successfully

IKEv2 VPN Between FortiGate And Cisco ASA

Leave a Comment