IPSec VPN between FortiGate and Cisco ASA

Tutorial on how to configure IPSec VPN Between FortiGate And Cisco ASA Firewall in our lab

IKEv1 IPSec VPN Between FortiGate and Cisco ASA

Configuration of FortiGate Firewall

IKEv1 tunnel is configured by default when using FortiGate Site to Site VPN Wizard

Create object for Local (LAN_192.168.1.0) & Remote (REMOTE_10.10.10.0) Network

config firewall address 
    edit REMOTE-10.10.10.0
        set subnet 10.10.10.0 255.255.255.0
    end

    edit LAN-192.168.1.0
        set subnet 192.168.1.0 255.255.255.0
    end

Create IPSec Phase 1 called VPN-ToAIMS on WAN1 Interface with

• Proposal = AES256-SHA1
• DH GRoup = 2
• Remote Gateway = 103.18.246.208
• Pre-Share Key = P@ssw0rd
• Key Lifetime (Seconds) = 86400

Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. Higher group numbers are more secure but require additional time to compute the key.

• DH Group 2: 1024-bit group
• DH Group 5: 1536-bit group
• DH Group 19: 256-bit elliptic curve group

config vpn ipsec phase1-interface
    edit "VPN-ToAIMS"
        set interface wan1
        set peertype any
        set proposal aes256-sha1
        set dhgrp 2
        set remote-gw 103.18.246.208
        set psksecret P@ssw0rd
end

Create IPSec Phase 2 called VPN-ToAIMS-P2 with

• Associate to Phase 1 VPN-ToAIMS
• Proposal = AES256-SHA1
• Enable Perfect Forward Secrecy (PFS) = 2
• Source & Destination Network

Perfect Forward Secrecy (PFS) makes keys more secure because new keys are not made from previous keys. If a key is compromised, new session keys are still secure. When you specify PFS during Phase 2, a Diffie-Hellman exchange occurs each time a new SA is negotiated.

config vpn ipsec phase2-interface
    edit "VPN-ToAIMS-P2"
        set phase1name "VPN-ToAIMS"
        set proposal aes256-sha1
        set dhgrp 2
        set src-addr-type name
        set dst-addr-type name
        set src-name "LAN-192.168.1.0"
        set dst-name "REMOTE-10.10.10.0"
    next
end

Static Route to forward IPSEC Traffic to VPN-ToAIMS Interface and to Blackhole when the VPN tunnel is down

config router static
    edit 2
        set dst 10.10.10.0 255.255.255.0
        set distance 1
        set device "VPN-ToAIMS"
    next
    edit 3
        set dst 10.10.10.0 255.255.255.0
        set distance 254
        set blackhole enable
    next
end

Create a firewall policy called VPN-LAN-REMOTE to allow traffic from LAN-192.168.1.0 to REMOTE-10.10.10.0 on VPN-ToAIMS Interface

config firewall policy
    edit 20
        set name "VPN-LAN-REMOTE"
        set srcintf "internal"
        set dstintf "VPN-ToAIMS"
        set srcaddr "LAN-192.168.1.0"
        set dstaddr "REMOTE-10.10.10.0"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Create a firewall policy called VPN-REMOTE-VPN to allow traffic from REMOTE-10.10.10.0 to LAN-192.168.1.0** on Internal Interface

config firewall policy
  edit 21
        set name "VPN-ToAIMS"
        set srcintf "VPN-ToAIMS"
        set dstintf "internal"
        set srcaddr "REMOTE-10.10.10.0"
        set dstaddr "LAN-192.168.1.0"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Configuration of Cisco ASA Firewall

Create object for Local & Remote Network

object network LAN-10.10.10.0
    subnet 10.10.10.0 255.255.255.0

object network REMOTE-192.168.1.0
    subnet 192.168.1.0 255.255.255.0

Enable IKEv1 on Outside Interface

crypto ikev1 enable outside

NAT Exemption for traffic between LAN-10.10.10.0 & REMOTE-192.168.1.0

nat (inside,outside) source static LAN-10.10.10.0 LAN-10.10.10.0 destination static REMOTE-192.168.1.0 REMOTE-192.168.1.0 no-proxy-arp route-lookup

Access List called outside_cryptomap for traffic to be encrypted and tunneled

access-list outside_cryptomap extended permit ip object 10.10.10.0 object REMOTE-LAN 

New Group Policy called GroupPolicy_121.121.43.50 with IKEv1 enabled

group-policy GroupPolicy_121.121.43.50 internal
group-policy GroupPolicy_121.121.43.50 attributes
 vpn-tunnel-protocol ikev1 

Create Tunnel Group called 121.121.43.50 with pre-shared-key defined

tunnel-group 121.121.43.50 type ipsec-l2l
tunnel-group 121.121.43.50 general-attributes
 default-group-policy GroupPolicy_121.121.43.50

tunnel-group 121.121.43.50 ipsec-attributes
 ikev1 pre-shared-key *****

Configure the Crypto Map with the following

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 121.121.43.50
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map interface outside

The following default IKEv1 Policy will be used

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

Reference Link

1. Configure IKEv1 IPsec Site-to-Site Tunnels with the ASDM or CLI on the ASA

Verify IKEv1 IPSec VPN Tunnel

Verify the IKEv1 IPSec VPN Tunnel is up in Cisco ASA Firewall

ASAv# sh crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 121.121.43.50
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

Verify the IKEv1 IPSec VPN Tunnel is up in FortiGate Firewall

FG60 # diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN-ToAIMS ver=1 serial=4 121.121.43.50:0->103.18.246.208:0 dst_mtu=1500
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc  run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=16 ilast=0 olast=0 ad=/0
stat: rxp=6786 txp=12136 rxb=1982700 txb=798028
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN-ToAIMS-P2 proto=0 sa=1 ref=8 serial=1
  src: 0:192.168.1.0/255.255.255.0:0
  dst: 0:10.10.10.0/255.255.255.0:0
  SA:  ref=6 options=10226 type=00 soft=0 mtu=1438 expire=27741/0B replaywin=1024
       seqno=207a esn=0 replaywin_lastseq=00001a80 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=28529/28800
  dec: spi=f6f35fd9 esp=aes key=32 c514b693e2159a42e91fe36ed8a71892c4c82fd31dab47d67535214461eaeb05
       ah=sha1 key=20 052cca8b83f7b93ed4651d981daef29c13c6cd06
  enc: spi=fcbc266d esp=aes key=32 6b5a3c915d960beed0019fff31d968e0de5e8528c288f954221a1456b8898a66
       ah=sha1 key=20 bdb7357fbb82cef0aa4d421509d4dbfaf18e7517
  dec:pkts/bytes=6786/1982580, enc:pkts/bytes=12096/1046112
  npu_flag=03 npu_rgwy=103.18.246.208 npu_lgwy=121.121.43.50 npu_selid=3 dec_npuid=1 enc_npuid=1
run_tally=1

Verify the workstations at both sites can ping to each other

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.1.177
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

C:\Users\kwyong>ping 10.10.10.186

Pinging 10.10.10.186 with 32 bytes of data:
Reply from 10.10.10.186: bytes=32 time=11ms TTL=127
Reply from 10.10.10.186: bytes=32 time=13ms TTL=127
Reply from 10.10.10.186: bytes=32 time=13ms TTL=127
Reply from 10.10.10.186: bytes=32 time=21ms TTL=127

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.10.10.186
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.8

C:\Users\admin>ping 192.168.1.236

Pinging 192.168.1.236 with 32 bytes of data:
Reply from 192.168.1.236: bytes=32 time=5ms TTL=63
Reply from 192.168.1.236: bytes=32 time=5ms TTL=63
Reply from 192.168.1.236: bytes=32 time=7ms TTL=63

IKEv2 IPSec VPN Between FortiGate and Cisco ASA

Refer to IPSec IKEv2 VPN Between FortiGate And Cisco ASA to change the IKEv1 to IKEv2