IPsec site-to-site VPN tunnel between Cisco ASA & FortiGate Firewall
Setting up an IPsec S2S VPN tunnel
Cisco ASA & FortiGate Firewall
We are going to talk about the IPsec VPN tunnel between Cisco ASA and Fortinet firewall where one site is protected by a FortiGate, while another is protected by a Cisco ASA.
We are configuring the tunnel between each site, avoiding overlapping subnets, so that a secure tunnel may be formed with the required security profiles applied. It uses FortiOS 5.0 and Cisco ASDM 6.4. Both devices must be set up with the proper internal and exterior interfaces for the operation to work.
 |
| Fig 1.1- IPSec Site2site tunnel |
What we are going to do ?
- Configuring the Cisco device using the IPsec VPN Wizard
- Configuring the FortiGate tunnel phases
- Configuring the FortiGate policies
- Configuring the static route in the FortiGate
IPsec VPN Wizard to configure the Cisco ASA
Step 1: In the Cisco ASDM, under the Wizard menu, select IPsec VPN Wizard.
Step 2: From the options that appear, select Site-to site, with the VPN Tunnel Interface set to outside, then click Next.
 |
| Fig 1.2- Cisco ASA- ASDM site to site screen |
Step 3: In the Peer IP Address field, enter the IP address of the FortiGate unit through which the SSL VPN traffic will flow.
 |
| Fig 1.3- Cisco ASDM |
Step 4: Under Authentication Method, enter a secure Pre-Shared Key. You will use the same key when configuring the FortiGate tunnel phases. Choose something more secure than “Password” and click Next.
Step 5: Configure Phase 1 with AES-256 Encryption and SHA Authentication and Set the Diffie-Hellman Group to 5
 |
| Fig 1.4- Cisco ASDM |
Step 6: Enable PFS and set the Diffie-Hellman Group to 2.
Step 7: Set the Local Network and Remote Network.
 |
| Fig 1.5- Cisco ASDM |
On the Cisco ASA, the tunnel configuration is finished. You must now set up the FortiGate using comparable configurations, with the exception of the remote gateway.
IPsec VPN Wizard to configure the FortiGate Firewall
Step 1: In the FortiOS GUI, navigate to VPN >IPsec > Auto Key (IKE) and select Create Phase 1.
Step 2: Name the tunnel, statically assign the IP Address of the remote gateway, and set the Local Interface to wan1.
 |
| Fig 1.6- FortiGate Firewall |
Step 3: Select Preshared Key for Authentication method and enter the same Preshared key you chose when configuring the Cisco IPsec VPN Wizard. Configure this phase to match the encryption settings configured on the Cisco device and click OK.
Step 4: Select Create Phase 2.Identify Phase 1, which you just configured, and ensure that the encryption settings match the Phase 2 encryption settings configured on the Cisco device. Optionally, provide the Source address and Destination address at the tunnel's ends under Quick Mode Selector.
 |
| Fig 1.7- FortiGate Firewall |
Configuring the FortiGate policies
Step 1: Navigate to Policy > Policy > Policy and create firewall policies that allow inbound and outbound traffic over the tunnel.
Step 2: In the first (outbound) policy, set the Incoming Interface to lan and set the source Address to all.
Step3: Set the Outgoing Interface to the tunnel interface and set the Destination Address to all. Configure the Schedule and Service as desired.
Step 4: Create the second (inbound) policy to allow traffic to flow in the opposite direction, and configure the Schedule and Service as desired.
 |
| Fig 1.8- FortiGate Firewall |
Configuring the static route in the FortiGate
Step1: Navigate to Router > Static > Static Routes and select Create New
Step 2: Create a static route with the Destination IP/Mask matching the address of the Cisco local network (by default, 192.168.1.0).Under Device, select the site-to-site tunnel, and click OK. On Fortigate side, now the tunnel configuration is finished.
Continue Reading..
++++++++++++++++++++++++++++++++++++++++++++++++++++Site-to-Site VPN: IPSEC Tunnel Between an ASA and a Cisco IOS Router - The Network DNA
Site-to-Site IPsec VPN Tunnel with two FortiGate Firewalls - The Network DNA
Security: FortiGate to SonicWall VPN Tunnel setup - The Network DNA
The Network DNA : Security
++++++++++++++++++++++++++++++++++++++++++++++++++++
