But 1st a topology map;
===================CISCO ASA CONFIGURATION===================
Now the cisco ASA configurations;
A: tunnel-group
tunnel-group 1.1.1.5
type ipsec-l2l
tunnel-group 1.1.1.5
ipsec-attributes
ikev1
pre-shared-key ImSoSecuredHaHaha!
NOTE: Please use a strong PSK between peers
B: define a crypto policy
crypto ikev1 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 28800
NOTE: the crypto policies on a cisco firewall must offer a proposal that the peer will present. It should match exactly the cipher type and hash and df-group #
C: ACL for matching interesting traffic ( this must match the traffic exactly )
access-list VPN2FGTHQ extended permit ip 10.200.41.67
255.255.255.255 192.168.254.0
255.255.255.0
NOTE: this acl should match the phase2 settings on the fortigate exactly. Do not try to use a 0.0.0.0/0:0 or a "any". Make it specific to the src & dst-subnets that the lan will pass thru the encryption domain.
D: A NO-NAT or aka nat-exemption
object network remotelan
subnet 192.168.254.0 255.255.255.0
object network myhost
host 10.200.41.67
nat (INSIDE,EXTERNAL02) source static myhost myhost destination static remotelan remotelan route-lookup
NOTE: if you are using nat-controls, you will need to exempt traffic that should not be NAT over the vpntunnel. The local src network myhost and destination remotelan, will NOT be nat'd.
E: defining a transform set that will be used later in the crypto-map
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256
esp-sha-hmac
F: Putting it all together into a crypto-map
crypto map EXTERNAL02_map0 10 match address VPN2FGTHQ
crypto map EXTERNAL02_map0 10 set peer 1.1.1.5
crypto map EXTERNAL02_map0 10 set ikev1 transform-set
ESP-AES-128-SHA ESP-AES-256-SHA
NOTE: A crypto-map uses sequences #s, so you can have multiple peers defined and unique by using different sequences numbers. Only one crypto-map can be applied to a interface.
G: enabling the crypto-map and ike-policy on our uplink wan interface named "EXTERNAL02"
crypto ikev1 enable EXTERNAL02
crypto map EXTERNAL02_map0 interface EXTERNAL02 NOTE: this step is critical. If you don't enable & bind ike and the crypto-map to the interface(s) that uplinks to the internet, than your VPN will NOT work !
===================FORTIGATE CONFIGURATION===================
A: Phase1-interface interface configurations
config vpn ipsec phase1-interface
edit
"FGT2MAcontext2"
set interface
"wan1"
set dhgrp 2
set proposal
aes256-sha1
set remote-gw
1.1.1.6
set psksecret ImSoSecuredHaHaha!
set keepalive
30
next
end
B: Phase2-interface interface configurations
config vpn ipsec phase2-interface
edit
"FGT2MAcontext2-P2-1"
set
auto-negotiate enable
set pfs
disable
set phase1name
"FGT2MAcontext2"
set proposal
aes256-sha1
set replay
disable
set dst-subnet
10.200.41.67 255.255.255.255
set
keylifeseconds 3600
set src-subnet
192.168.254.0 255.255.255.0
next
end
NOTE: Please be specific and limit the number of items in the proposal. Also ensure that if you are not using PFS, to disable it within this configuration
C: Static route
config router static
edit 55
set device
"FGT2MAcontext2"
set dst
10.200.41.67 255.255.255.255
next
end
NOTE: a static route is required ( since this a route-based vpn )
D: Fwpolicies to allow traffic for the lan2lan segments
config firewall address
edit MYLOCALLAN
set subnet 192.168.254.0/24
next
edit CISCONETWORK
set subnet 10.200.41.67/32
end
config firewall policy
edit 0
set srcintf "switch"
set dstintf "FGT2MAcontext2"
set srcaddr "MYLOCALLAN"
set dstaddr "CISCONETWORK"
set action accept
set schedule "always"
set service "ANY"
next
edit 0
set srcintf "FGT2MAcontext2"
set dstintf "switch"
set srcaddr "CISCONETWORK"
set dstaddr "MYLOCALLAN"
set action accept
set schedule "always"
set service "ANY"
end
edit 0
set srcintf "switch"
set dstintf "FGT2MAcontext2"
set srcaddr "MYLOCALLAN"
set dstaddr "CISCONETWORK"
set action accept
set schedule "always"
set service "ANY"
next
edit 0
set srcintf "FGT2MAcontext2"
set dstintf "switch"
set srcaddr "CISCONETWORK"
set dstaddr "MYLOCALLAN"
set action accept
set schedule "always"
set service "ANY"
end
NOTE: A lack of a firewll policy will NOT keep the tunnel from establish, but will prevent traffic. Ensure fwpolicies meets your security policy and posture and allows the traffic that you need. In the above, I'm allowing all traffic types from our management host (10.200.41.67 )
===================ASA T-shoot and Tips ===================
The following show command will give you great details on the ike SA;
show crypto ikev1 sa
The following show commands will give you great details on the ispec-SA status;
show crypto ipsec sa sum
show crypto ipsec sa peer 1.1.1.5
NOTE: SPIs for inbound and outbound should match the fortigate outbound and inbound respectively
The following diag commands will give you great details ike issues if the tunnel does not command up. I like to start with level 200 but adjust the level for terse or verbose output
debug crypto ikev1 200
debug crypto ipsec 200
==================Fortigate T-shoot and Tips ===================
I would like to refer you to one of my earlier posts;
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( @ @ )=
o
/ \
Nice blog and share are so useful..
ReplyDeletevpn encryption
Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long? http://top10-bestvpn.com/
ReplyDeleteYou have shared nice information on site to site vpn. Recently, hired services of fast Expressvpn after taking details on them through the tech reviews. Happy to get fast speed and really happy to get access to different websites.
ReplyDelete