Wednesday, May 21, 2014

HOWTO: ASR IOS-XE to Fortigate IKEv2 route-based VPN

In  this blog we will look at a route-based ipsec vpn to a cisco router  running IOS-XE (  ASR1002 )  using the legacy crypto-map method . This vpn has been defined using IKEv2 , AES128.

1st the topology;

The ASR has been configured with the correct IKEv2  policy, keyring and proposals for this vpn to be established. The configuration shown here, is the basic  configuration required. YMMV

IKEv2 has been supported within the cisco IOS routers for some time, and actually earlier than the cisco ASA.

NOTE: IKE version2 has been well supported within  Juniper, PaloAlto  and a few other firewall vendors

Here's  the configurations and tips

====================   ASR  configuration =====================


note: enabling crypto logging for  log-messages

Crypto tranform  &  MAPs

note: don't forget to enable the  crypto map on the egress interface  via the config cmd

interface port 3
   crypto map myvpn 


note: this ACL defines the interesting traffic to encrypt. It should match  the src/dst-subnet of the fortigate exactly

====================   FGT  configuration =====================

The Fortigate side of things is no different than a IKEv1 config but we must toggle the version as IKEv2. We also limited the proposal to be the exact match between peers. No support for  multiple and different proposals between phase1  & 2




note: A route-based vpn must have a route installed with the next-hop interface of the phase1 name



  ensure IKEv2 is support in the firewall and router b4 you try to build out a vpn
  diag vpn ike  gateway  will provide IKE SAs information for the fortigate
  diag vpn tunnel list will provide ipsec-SA informations
  show crypto ikev2 sa  will provide  cisco SA information for IKEv2
  show crypto ipsec sa  will provide SA details and packets encrypted or decrypted

NOTE: IKEv2 SA should always matches and the same for the phase2 SA. SA within IKEv2 are bidirectional while IPSEC-SAsa are uni-directional for in/out

Ken Felix
Consulting Engineer Network & Security  ( Cisco, Juniper, Fortinet )
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   #   # )=
      /     \


  1. Thank you for this great post.
    What will be the configuration in FGT if the IP of cisco router is Dynamic?


  2. You will need a dynamic vpn configuration which means no defined remote-gateway is configured.

    The FGT will be a responder only