1st the topology;
The ASR has been configured with the correct IKEv2 policy, keyring and proposals for this vpn to be established. The configuration shown here, is the basic configuration required. YMMV
IKEv2 has been supported within the cisco IOS routers for some time, and actually earlier than the cisco ASA.
NOTE: IKE version2 has been well supported within Juniper, PaloAlto and a few other firewall vendors
Here's the configurations and tips
==================== ASR configuration =====================
IKEv2
note: enabling crypto logging for log-messages
Crypto tranform & MAPs
note: don't forget to enable the crypto map on the egress interface via the config cmd
interface port 3
crypto map myvpn
ACL
note: this ACL defines the interesting traffic to encrypt. It should match the src/dst-subnet of the fortigate exactly
==================== FGT configuration =====================
The Fortigate side of things is no different than a IKEv1 config but we must toggle the version as IKEv2. We also limited the proposal to be the exact match between peers. No support for multiple and different proposals between phase1 & 2
phase1
phase2
route
note: A route-based vpn must have a route installed with the next-hop interface of the phase1 name
firewall-policies
Tips
ensure IKEv2 is support in the firewall and router b4 you try to build out a vpn
diag vpn ike gateway will provide IKE SAs information for the fortigate
diag vpn tunnel list will provide ipsec-SA informations
show crypto ikev2 sa will provide cisco SA information for IKEv2
show crypto ipsec sa will provide SA details and packets encrypted or decrypted
NOTE: IKEv2 SA should always matches and the same for the phase2 SA. SA within IKEv2 are bidirectional while IPSEC-SAsa are uni-directional for in/out
Ken Felix
Consulting Engineer Network & Security ( Cisco, Juniper, Fortinet )
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( # # )=
o
/ \
Thank you for this great post.
ReplyDeleteWhat will be the configuration in FGT if the IP of cisco router is Dynamic?
Thanks..
You will need a dynamic vpn configuration which means no defined remote-gateway is configured.
ReplyDeleteThe FGT will be a responder only