This blog post shows how to configure a site-to-site IPsec VPN between a FortiGate firewall and a Cisco router. The FortiGate is configured via the GUI – the router via the CLI. I am showing the screenshots/listings as well as a few troubleshooting commands.
The VPN tunnel shown here is a route-based tunnel. That is, I do NOT use proxy-ids in phase 2 for the routing decision (which would be policy-based), but tunnel-interfaces and static routes. This applies to both devices.
Lab
FortiGate
These are the steps for the FortiGate firewall. Refer to the descriptions under the screenshots for further details:
Cisco Router
The Cisco router ist configured with the following commands:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 14
lifetime 28800
crypto isakmp key ZByLKnMxmohpNLBPAgwckJhY address 172.16.1.6
crypto isakmp keepalive 10 5
!
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
!
crypto ipsec profile FG
set transform-set aes256-sha
set pfs group14
!
interface Tunnel161
ip unnumbered FastEthernet0/1.151
tunnel source 172.16.1.5
tunnel destination 172.16.1.6
tunnel mode ipsec ipv4
tunnel protection ipsec profile FG
!
ip route 192.168.161.0 255.255.255.0 Tunnel161
|
Monitoring
and can be queried via the CLI, too:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
fd-wv-fw04 # get vpn ike gateway fd-wv-ro03
vd: root/0
name: fd-wv-ro03
version: 1
interface: wan1 6
addr: 172.16.1.6:500 -> 172.16.1.5:500
created: 1789239s ago
IKE SA created: 1/63 established: 1/63 time: 380/461/2480 ms
IPsec SA created: 1/514 established: 1/514 time: 360/382/590 ms
id/spi: 20213 7369fa8ea50b4193/15f1b4d8a7818977
direction: initiator
status: established 22210-22210s ago = 380ms
proposal: aes-256-sha1
key: 2a0a6784e29fbe70-ade0d6d6a368bdca-5e81890d77f7ca7a-db7e9f75c746aa94
lifetime/rekey: 28800/6289
DPD sent/recv: 000d1c3e/4f447f71
fd-wv-fw04 #
fd-wv-fw04 #
fd-wv-fw04 # get vpn ipsec tunnel name fd-wv-ro03
gateway
name: 'fd-wv-ro03'
type: route-based
local-gateway: 172.16.1.6:0 (static)
remote-gateway: 172.16.1.5:0 (static)
mode: ike-v1
interface: 'wan1' (6)
rx packets: 1584 bytes: 199840 errors: 0
tx packets: 1595 bytes: 135078 errors: 0
dpd: enabled/negotiated idle: 5000ms retry: 3 count: 0
selectors
name: 'fd-wv-ro03'
auto-negotiate: disable
mode: tunnel
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA
lifetime/rekey: 3600/923
mtu: 1438
tx-esp-seq: 600
replay: enabled
inbound
spi: c97b0d54
enc: aes 43821ea396d91c75a865fa39ceb11dbae01761965f5c259c8ff08288034a2951
auth: sha1 e3b74f75ee315f3a6bb6c08f820fd7326e6efa1e
outbound
spi: 5ffae69c
enc: aes 8b4721951aa7878a50c865f1853fd55944dfc514e7f12fee8288d458f3aa8b64
auth: sha1 f8905c11627d73bd643bda374f8a6214dbc12281
NPU acceleration: encryption(outbound) decryption(inbound)
|
The Cisco router show commands are the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
fd-wv-ro03#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1195 172.16.1.5 172.16.1.6 ACTIVE aes sha psk 14 01:46:56 D
Engine-id:Conn-id = SW:195
IPv6 Crypto ISAKMP SA
fd-wv-ro03#
fd-wv-ro03#
fd-wv-ro03#show crypto ipsec sa peer 172.16.1.6
interface: Tunnel161
Crypto map tag: Tunnel161-head-0, local addr 172.16.1.5
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 172.16.1.6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1856, #pkts encrypt: 1856, #pkts digest: 1856
#pkts decaps: 1855, #pkts decrypt: 1855, #pkts verify: 1855
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 1
local crypto endpt.: 172.16.1.5, remote crypto endpt.: 172.16.1.6
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xC97B0D54(3380284756)
PFS (Y/N): Y, DH group: group14
inbound esp sas:
spi: 0x5FFAE69C(1610278556)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2737, flow_id: NETGX:737, sibling_flags 80000046, crypto map: Tunnel161-head-0
sa timing: remaining key lifetime (k/sec): (4506750/791)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC97B0D54(3380284756)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2738, flow_id: NETGX:738, sibling_flags 80000046, crypto map: Tunnel161-head-0
sa timing: remaining key lifetime (k/sec): (4506750/791)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
fd-wv-ro03#
fd-wv-ro03#
fd-wv-ro03#show ip route static
S 192.168.161.0/24 is directly connected, Tunnel161
|
Ciao.
Blogger Comment
Facebook Comment