Wednesday, May 14, 2014

Site 2 Site vpn ( Fortinet Fortigate to Cisco ASA route-based )

In this blog, I will demo the  basic configuration for defining a site2site vpn. This vpn uses only one proposal, no pfs, and will allow the defined networks src/dst to be encrypted.

But 1st a topology map;

===================CISCO ASA  CONFIGURATION===================

Now the cisco ASA configurations;

A: tunnel-group 

tunnel-group  type ipsec-l2l

tunnel-group  ipsec-attributes

ikev1 pre-shared-key  ImSoSecuredHaHaha!

NOTE: Please use a strong PSK between peers

B: define a  crypto policy

crypto ikev1 policy 1

 encryption aes-256

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 28800

NOTE: the crypto policies on a cisco firewall must offer a proposal that the peer will present. It should match exactly the cipher type and hash and df-group #

C: ACL for matching interesting traffic ( this must match the traffic exactly )

access-list VPN2FGTHQ extended permit ip

 NOTE: this acl should match the  phase2 settings on the  fortigate exactly. Do not try to use a or a "any". Make it specific to the src & dst-subnets that the lan will pass thru the encryption domain.

D: A  NO-NAT or aka  nat-exemption

object network remotelan

object network myhost

nat (INSIDE,EXTERNAL02) source static myhost myhost destination static  remotelan remotelan route-lookup

NOTE: if you are using nat-controls, you will need to exempt traffic that should not be NAT over the vpntunnel. The local src network myhost and destination  remotelan, will NOT be nat'd.

E: defining a transform set that will be used later in the crypto-map

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

F: Putting it all together into a crypto-map

crypto map EXTERNAL02_map0 10 match address VPN2FGTHQ

crypto map EXTERNAL02_map0 10 set peer

crypto map EXTERNAL02_map0 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-256-SHA

NOTE: A crypto-map uses sequences #s, so you can have multiple  peers defined and unique by using different sequences numbers. Only one crypto-map can be applied to a interface.

G: enabling the crypto-map and ike-policy on our uplink wan interface named "EXTERNAL02"

crypto ikev1 enable EXTERNAL02
crypto map EXTERNAL02_map0 interface EXTERNAL02  

NOTE: this step is critical. If you don't enable & bind  ike and the crypto-map to the interface(s) that uplinks to the internet, than your VPN will NOT work !

===================FORTIGATE  CONFIGURATION===================

A: Phase1-interface interface configurations

config vpn ipsec phase1-interface

   edit "FGT2MAcontext2"

        set interface "wan1"

        set dhgrp 2

        set proposal aes256-sha1

        set remote-gw

        set psksecret ImSoSecuredHaHaha!

        set keepalive 30



NOTE: Please use a strong PSK between the vpn peers

B: Phase2-interface interface configurations

config vpn ipsec phase2-interface

   edit "FGT2MAcontext2-P2-1"

        set auto-negotiate enable

        set pfs disable

        set phase1name "FGT2MAcontext2"

        set proposal aes256-sha1

        set replay disable

        set dst-subnet

        set keylifeseconds 3600

        set src-subnet



NOTE: Please be specific and limit the number of items in the proposal. Also ensure that if you are not using PFS, to disable it within this configuration

C: Static route


config router static

    edit 55

        set device "FGT2MAcontext2"

        set dst



NOTE: a static route  is required  ( since this a route-based vpn )

D: Fwpolicies to allow traffic for the lan2lan segments 

config firewall address 
         set subnet
       set subnet

 config firewall policy
    edit 0
        set srcintf "switch"
        set dstintf "FGT2MAcontext2"
            set srcaddr "MYLOCALLAN"           
            set dstaddr "CISCONETWORK"           
        set action accept
        set schedule "always"
            set service "ANY"           
    edit 0
        set srcintf "FGT2MAcontext2"
        set dstintf "switch"
            set srcaddr "CISCONETWORK"           
            set dstaddr "MYLOCALLAN"           
        set action accept
        set schedule "always"
            set service "ANY"           

NOTE: A lack of a firewll policy will NOT keep the tunnel from establish, but will prevent traffic. Ensure fwpolicies meets your security policy and posture and allows the traffic that you need. In the above, I'm allowing all traffic types from our management host ( ) 

===================ASA T-shoot and Tips ===================

The following show command will give you great details on  the ike SA;

show crypto ikev1  sa

The following show commands will give you great details on  the ispec-SA status;

show crypto ipsec sa sum
show crypto ipsec sa  peer

NOTE: SPIs for inbound and outbound should match the fortigate outbound and inbound respectively

The following diag commands will give you great details ike issues if the tunnel does not command up. I like to start with level 200 but adjust the level for terse or verbose output

debug crypto ikev1 200
debug crypto ipsec 200

==================Fortigate T-shoot and Tips ===================

I would like to refer you to one of my earlier posts;

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
       /     \


  1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

  2. You have shared nice information on site to site vpn. Recently, hired services of fast Expressvpn after taking details on them through the tech reviews. Happy to get fast speed and really happy to get access to different websites.