Site 2 Site vpn ( Fortinet Fortigate to Cisco ASA route-based )

In this blog, I will demo the  basic configuration for defining a site2site vpn. This vpn uses only one proposal, no pfs, and will allow the defined networks src/dst to be encrypted.

But 1st a topology map;

===================CISCO ASA  CONFIGURATION===================

Now the cisco ASA configurations;

A: tunnel-group 

 

tunnel-group 1.1.1.5  type ipsec-l2l

tunnel-group 1.1.1.5  ipsec-attributes

ikev1 pre-shared-key  ImSoSecuredHaHaha!

NOTE: Please use a strong PSK between peers

B: define a  crypto policy

crypto ikev1 policy 1

 encryption aes-256

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 28800

NOTE: the crypto policies on a cisco firewall must offer a proposal that the peer will present. It should match exactly the cipher type and hash and df-group #

C: ACL for matching interesting traffic ( this must match the traffic exactly )

access-list VPN2FGTHQ extended permit ip 10.200.41.67 255.255.255.255  192.168.254.0 255.255.255.0

 NOTE: this acl should match the  phase2 settings on the  fortigate exactly. Do not try to use a 0.0.0.0/0:0 or a "any". Make it specific to the src & dst-subnets that the lan will pass thru the encryption domain.

D: A  NO-NAT or aka  nat-exemption

object network remotelan
    subnet 192.168.254.0 255.255.255.0

object network myhost
    host 10.200.41.67

nat (INSIDE,EXTERNAL02) source static myhost myhost destination static  remotelan remotelan route-lookup
 

NOTE: if you are using nat-controls, you will need to exempt traffic that should not be NAT over the vpntunnel. The local src network myhost and destination  remotelan, will NOT be nat'd.

E: defining a transform set that will be used later in the crypto-map

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

F: Putting it all together into a crypto-map

crypto map EXTERNAL02_map0 10 match address VPN2FGTHQ

crypto map EXTERNAL02_map0 10 set peer 1.1.1.5

crypto map EXTERNAL02_map0 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-256-SHA

NOTE: A crypto-map uses sequences #s, so you can have multiple  peers defined and unique by using different sequences numbers. Only one crypto-map can be applied to a interface.

G: enabling the crypto-map and ike-policy on our uplink wan interface named "EXTERNAL02"

 

crypto ikev1 enable EXTERNAL02

crypto map EXTERNAL02_map0 interface EXTERNAL02  

NOTE: this step is critical. If you don't enable & bind  ike and the crypto-map to the interface(s) that uplinks to the internet, than your VPN will NOT work !

===================FORTIGATE  CONFIGURATION===================

A: Phase1-interface interface configurations

config vpn ipsec phase1-interface

   edit "FGT2MAcontext2"

        set interface "wan1"

        set dhgrp 2

        set proposal aes256-sha1

        set remote-gw 1.1.1.6

        set psksecret ImSoSecuredHaHaha!

        set keepalive 30

    next

end

NOTE: Please use a strong PSK between the vpn peers

B: Phase2-interface interface configurations

 

config vpn ipsec phase2-interface

   edit "FGT2MAcontext2-P2-1"

        set auto-negotiate enable

        set pfs disable

        set phase1name "FGT2MAcontext2"

        set proposal aes256-sha1

        set replay disable

        set dst-subnet 10.200.41.67 255.255.255.255

        set keylifeseconds 3600

        set src-subnet 192.168.254.0 255.255.255.0

    next

end

NOTE: Please be specific and limit the number of items in the proposal. Also ensure that if you are not using PFS, to disable it within this configuration

C: Static route

 

config router static

    edit 55

        set device "FGT2MAcontext2"

        set dst 10.200.41.67 255.255.255.255

    next

end

NOTE: a static route  is required  ( since this a route-based vpn )

D: Fwpolicies to allow traffic for the lan2lan segments 

config firewall address 

   edit  MYLOCALLAN

         set subnet 192.168.254.0/24

   next

   edit  CISCONETWORK

       set subnet 10.200.41.67/32

   end

 config firewall policy
    edit 0
        set srcintf "switch"
        set dstintf "FGT2MAcontext2"
            set srcaddr "MYLOCALLAN"           
            set dstaddr "CISCONETWORK"           
        set action accept
        set schedule "always"
            set service "ANY"           
    next
    edit 0
        set srcintf "FGT2MAcontext2"
        set dstintf "switch"
            set srcaddr "CISCONETWORK"           
            set dstaddr "MYLOCALLAN"           
        set action accept
        set schedule "always"
            set service "ANY"           
    end

NOTE: A lack of a firewll policy will NOT keep the tunnel from establish, but will prevent traffic. Ensure fwpolicies meets your security policy and posture and allows the traffic that you need. In the above, I'm allowing all traffic types from our management host (10.200.41.67 ) 

===================ASA T-shoot and Tips ===================

The following show command will give you great details on  the ike SA;

show crypto ikev1  sa

The following show commands will give you great details on  the ispec-SA status;

show crypto ipsec sa sum

show crypto ipsec sa  peer 1.1.1.5

NOTE: SPIs for inbound and outbound should match the fortigate outbound and inbound respectively

The following diag commands will give you great details ike issues if the tunnel does not command up. I like to start with level 200 but adjust the level for terse or verbose output

debug crypto ikev1 200

debug crypto ipsec 200

==================Fortigate T-shoot and Tips ===================

I would like to refer you to one of my earlier posts;

http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html

Ken Felix

Freelance Network / Security Engineer

kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^

=(  @   @ )=

          o

       /     \