IPsec Site-to-Site VPN FortiGate Cisco Router

This blog post shows how to configure a site-to-site IPsec VPN between a FortiGate firewall and a Cisco router. The FortiGate is configured via the GUI – the router via the CLI. I am showing the screenshots/listings as well as a few troubleshooting commands.

The VPN tunnel shown here is a route-based tunnel. That is, I do NOT use proxy-ids in phase 2 for the routing decision (which would be policy-based), but tunnel-interfaces and static routes. This applies to both devices.

The FortiGate firewall in my lab is a FortiWiFi 90D (v5.2.2), the Cisco router an 2811 with software version 12.4(24)T8.

Lab

The following figure shows the lab for this VPN:

FortiGate

These are the steps for the FortiGate firewall. Refer to the descriptions under the screenshots for further details:

Cisco Router

The Cisco router ist configured with the following commands:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 14
 lifetime 28800
crypto isakmp key ZByLKnMxmohpNLBPAgwckJhY address 172.16.1.6
crypto isakmp keepalive 10 5
!
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
!
crypto ipsec profile FG
 set transform-set aes256-sha
 set pfs group14
!
interface Tunnel161
 ip unnumbered FastEthernet0/1.151
 tunnel source 172.16.1.5
 tunnel destination 172.16.1.6
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile FG
!
ip route 192.168.161.0 255.255.255.0 Tunnel161

Monitoring

The FortiGate has an IPsec Monitor status of “Up”,

and can be queried via the CLI, too:

fd-wv-fw04 # get vpn ike gateway fd-wv-ro03

vd: root/0
name: fd-wv-ro03
version: 1
interface: wan1 6
addr: 172.16.1.6:500 -> 172.16.1.5:500
created: 1789239s ago
IKE SA  created: 1/63  established: 1/63  time: 380/461/2480 ms
IPsec SA  created: 1/514  established: 1/514  time: 360/382/590 ms

  id/spi: 20213 7369fa8ea50b4193/15f1b4d8a7818977
  direction: initiator
  status: established 22210-22210s ago = 380ms
  proposal: aes-256-sha1
  key: 2a0a6784e29fbe70-ade0d6d6a368bdca-5e81890d77f7ca7a-db7e9f75c746aa94
  lifetime/rekey: 28800/6289
  DPD sent/recv: 000d1c3e/4f447f71

fd-wv-fw04 #
fd-wv-fw04 #
fd-wv-fw04 # get vpn ipsec tunnel name fd-wv-ro03

gateway
  name: 'fd-wv-ro03'
  type: route-based
  local-gateway: 172.16.1.6:0 (static)
  remote-gateway: 172.16.1.5:0 (static)
  mode: ike-v1
  interface: 'wan1' (6)
  rx  packets: 1584  bytes: 199840  errors: 0
  tx  packets: 1595  bytes: 135078  errors: 0
  dpd: enabled/negotiated  idle: 5000ms  retry: 3  count: 0
  selectors
    name: 'fd-wv-ro03'
    auto-negotiate: disable
    mode: tunnel
    src: 0:0.0.0.0/0.0.0.0:0
    dst: 0:0.0.0.0/0.0.0.0:0
    SA
      lifetime/rekey: 3600/923
      mtu: 1438
      tx-esp-seq: 600
      replay: enabled
      inbound
        spi: c97b0d54
        enc:     aes  43821ea396d91c75a865fa39ceb11dbae01761965f5c259c8ff08288034a2951
        auth:   sha1  e3b74f75ee315f3a6bb6c08f820fd7326e6efa1e
      outbound
        spi: 5ffae69c
        enc:     aes  8b4721951aa7878a50c865f1853fd55944dfc514e7f12fee8288d458f3aa8b64
        auth:   sha1  f8905c11627d73bd643bda374f8a6214dbc12281
      NPU acceleration: encryption(outbound) decryption(inbound)

The Cisco router show commands are the following:

fd-wv-ro03#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

1195  172.16.1.5      172.16.1.6               ACTIVE aes  sha  psk  14 01:46:56 D
       Engine-id:Conn-id =  SW:195

IPv6 Crypto ISAKMP SA

fd-wv-ro03#
fd-wv-ro03#
fd-wv-ro03#show crypto ipsec sa peer 172.16.1.6

interface: Tunnel161
    Crypto map tag: Tunnel161-head-0, local addr 172.16.1.5

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.16.1.6 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1856, #pkts encrypt: 1856, #pkts digest: 1856
    #pkts decaps: 1855, #pkts decrypt: 1855, #pkts verify: 1855
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 1

     local crypto endpt.: 172.16.1.5, remote crypto endpt.: 172.16.1.6
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xC97B0D54(3380284756)
     PFS (Y/N): Y, DH group: group14

     inbound esp sas:
      spi: 0x5FFAE69C(1610278556)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2737, flow_id: NETGX:737, sibling_flags 80000046, crypto map: Tunnel161-head-0
        sa timing: remaining key lifetime (k/sec): (4506750/791)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC97B0D54(3380284756)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2738, flow_id: NETGX:738, sibling_flags 80000046, crypto map: Tunnel161-head-0
        sa timing: remaining key lifetime (k/sec): (4506750/791)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
fd-wv-ro03#
fd-wv-ro03#
fd-wv-ro03#show ip route static
S    192.168.161.0/24 is directly connected, Tunnel161

Ciao.