Following is a step-by-step tutorial for a site-to-site VPN between a Fortinet FortiGate and a Cisco ASA firewall. I am showing the screenshots of the GUIs in order to configure the VPN, as well as some CLI show commands.
Since the Cisco ASA only supports policy-based VPNs, the proxy-IDs (phase 2 selectors) must be used on the FortiGate, too. Furthermore, the ASA only supports Diffie-Hellman group 5 (and not 14), as well as SHA-1 (and not SHA-256) for IKEv1.
I am running a FortiWiFi 90D (v5.2.2) and a Cisco ASA 5505 (9.2(3)) in my lab.
Lab
This is the lab for the tutorial:
FortiGate
Here are the screenshots from the Forti GUI. Refer to the descriptions for more details:
Cisco ASA
Similar for the ASA:
Monitoring
Both firewalls can be monitored via the GUI:
Or via some CLI commands. FortiGate:
fd-wv-fw04 # get vpn ike gateway fd-wv-fw03
vd: root/0
name: fd-wv-fw03
version: 1
interface: wan1 6
addr: 172.16.1.6:500 -> 172.16.1.3:500
created: 21574s ago
IKE SA created: 1/1 established: 1/1 time: 210/210/210 ms
IPsec SA created: 1/8 established: 1/8 time: 120/133/190 ms
id/spi: 20345 e919d31b2152aa69/3c4f946f1067a8a0
direction: initiator
status: established 21574-21574s ago = 210ms
proposal: aes-256-sha1
key: 700a865e7d5dac74-38265025aadbea84-4e6578f76e8a94c0-55010a6860ca55d6
lifetime/rekey: 28800/6925
DPD sent/recv: 000ec23b/00000000
fd-wv-fw04 #
fd-wv-fw04 #
fd-wv-fw04 # get vpn ipsec tunnel name fd-wv-fw03
gateway
name: 'fd-wv-fw03'
type: route-based
local-gateway: 172.16.1.6:0 (static)
remote-gateway: 172.16.1.3:0 (static)
mode: ike-v1
interface: 'wan1' (6)
rx packets: 23438 bytes: 3672312 errors: 0
tx packets: 42395 bytes: 4131302 errors: 2
dpd: enabled/negotiated idle: 5000ms retry: 3 count: 0
selectors
name: 'johndoe'
auto-negotiate: disable
mode: tunnel
src: 0:192.168.161.0/255.255.255.0:0
dst: 0:192.168.131.0/255.255.255.0:0
SA
lifetime/rekey: 3600/3411
mtu: 1438
tx-esp-seq: 100
replay: enabled
inbound
spi: c97b0f02
enc: aes 2ab3758cc346a6fc0390c3c445ab0d5023946e0de74004980b9848c6ad1022b4
auth: sha1 877bd440e77d72b21bd39b6bfbd1c5f9aba81e72
outbound
spi: b48f2846
enc: aes 537cf0f0d75c887efa35057a668126fbeab8874b8127a060802bd27e85d43dfb
auth: sha1 9099b7a9edfa18b6882fb15594356e26d5712361
NPU acceleration: encryption(outbound) decryption(inbound)
fd-wv-fw04 #
fd-wv-fw04 #
fd-wv-fw04 # get router info routing-table static
S* 0.0.0.0/0 [10/0] via 172.16.1.1, wan1
S 192.168.111.0/24 [10/0] is directly connected, fd-wv-fw01
S 192.168.121.0/24 [10/0] is directly connected, fd-wv-fw02
S 192.168.131.0/24 [10/0] is directly connected, fd-wv-fw03
S 192.168.151.0/24 [10/0] is directly connected, fd-wv-ro03
Cisco ASA:
fd-wv-fw03# show crypto ikev1 sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 172.16.1.6
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 28800
Lifetime Remaining: 7274
fd-wv-fw03#
fd-wv-fw03#
fd-wv-fw03# show crypto ipsec sa peer 172.16.1.6 detail
peer address: 172.16.1.6
Crypto map tag: outside_map, seq num: 4, local addr: 172.16.1.3
access-list outside_cryptomap_3 extended permit ip 192.168.131.0 255.255.255.0 192.168.161.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.131.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.161.0/255.255.255.0/0/0)
current_peer: 172.16.1.6
#pkts encaps: 24140, #pkts encrypt: 24140, #pkts digest: 24140
#pkts decaps: 42925, #pkts decrypt: 42925, #pkts verify: 42925
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 24140, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 8
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 172.16.1.3/0, remote crypto endpt.: 172.16.1.6/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C97B0F02
current inbound spi : B48F2846
inbound esp sas:
spi: 0xB48F2846 (3029280838)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914981/3485)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC97B0F02 (3380285186)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914990/3484)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And one more time, note that the ASA only implements policy-based VPNs. That is, the route in the routing table is NOT correct!! In my lab, the remote network behind the FortiGate (192.168.161.0/24) is also propagated via OSPF, while traffic passing to that network leaves via the VPN tunnel and not via this misleading routing entry:
fd-wv-fw03# show route 192.168.161.0
Routing entry for 192.168.161.0 255.255.255.0
Known via "ospf 1", distance 110, metric 110, type intra area
Last update from 172.16.1.6 on outside, 5:22:43 ago
Routing Descriptor Blocks:
* 172.16.1.6, from 172.16.1.6, 5:22:43 ago, via outside
Route metric is 110, traffic share count is 1