IPsec Site-to-Site VPN FortiGate <-> Cisco Router

This blog post shows how to configure a site-to-site IPsec VPN between a FortiGate firewall and a Cisco router. The FortiGate is configured via the GUI – the router via the CLI. I am showing the screenshots/listings as well as a few troubleshooting commands.

The VPN tunnel shown here is a route-based tunnel. That is, I do NOT use proxy-ids in phase 2 for the routing decision (which would be policy-based), but tunnel-interfaces and static routes. This applies to both devices.

The FortiGate firewall in my lab is a FortiWiFi 90D (v5.2.2), the Cisco router an 2811 with software version 12.4(24)T8.

Lab

The following figure shows the lab for this VPN:

S2S VPN FortiGate - Cisco Router w VTI Laboratory

FortiGate

These are the steps for the FortiGate firewall. Refer to the descriptions under the screenshots for further details:

Cisco Router

The Cisco router ist configured with the following commands:

 

Monitoring

The FortiGate has an IPsec Monitor status of “Up”,

VPN FG-Router - FG07 IPsec Monitor

and can be queried via the CLI, too:

 

The Cisco router show commands are the following:

 

Ciao.

16 thoughts on “IPsec Site-to-Site VPN FortiGate <-> Cisco Router

  1. I’m waiting for a blog post that represent the internet speed limits of cisco / fortigate / Juniper firewalls . :-)

  2. what is the different between tunnel to peer?
    and what if i want to set this configuration on dialer interface?

    thanks,
    Michael

  3. This article seems to be the reference for IPsec Site-to-Site (route-based) VPN between FortiGate and Cisco Router.
    This helped me greatly to get a VPN tunnel up between my 2 devices (Fortigate 60C and Cisco 881W).
    I can ping from the Fortigate LAN to the Cisco LAN however I cannot ping from the Cisco to the Fortigate. I guess I am missing some configuration on the Cisco side.

    !##########################################
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key MyPresharedKey address 10.10.10.106
    crypto isakmp keepalive 10 5
    !
    !
    crypto ipsec transform-set TS esp-3des esp-md5-hmac
    mode tunnel
    !
    crypto ipsec profile 3DESMD5
    set transform-set TS
    set pfs group2

    interface Tunnel161
    ip unnumbered FastEthernet4
    tunnel source 10.10.11.71
    tunnel mode ipsec ipv4
    tunnel destination 10.10.10.106
    tunnel protection ipsec profile 3DESMD5

    interface FastEthernet4
    description OUTSIDE
    ip address 10.10.11.71 255.255.255.240
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto

    interface Vlan1
    description INTERNAL
    ip address 192.168.51.97 255.255.255.248
    ip nat inside
    no ip virtual-reassembly in

    ip nat inside source list 1 interface FastEthernet4 overload
    ip route 0.0.0.0 0.0.0.0 10.10.11.65
    ip route 192.168.46.0 255.255.255.0 Tunnel161

    access-list 1 permit 192.168.51.96 0.0.0.7
    !#########################################

    Any help would be greatly appreciated.

    1. Well, if the ping in one direction works (inclusive the echo-reply), your VPN is woring. Good.
      Have you reviewed all policies? Please verify the policies on the Forti for both directions!

      1. Hi Johannes,
        Thanks for your reply. You were right there was a policy issue on the FG side. All fixed now.
        Thanks again.

      2. Hi Johannes,
        great post ipsec is up and running.
        However i am facing the same issue unable to reach the remote LAN gw from cisco\cisco’s LAN pc’s.
        policy is on both direction, also tried VPN-ANY-ACCEPT

        1. If your outside interface is public IP – be sure you exclude the VPN tunnel traffic from being NAT’ed, otherwise your Cisco -> Fortigate traffic will work, but the return traffic will go out to the Internet and not back via the tunnel….

  4. After configuring the cisco router for fotigate100c based on above example the protocol goes down every couple of mins.

    Does anyone has an idea on this ?

  5. Great post. I only had one issue. Everytime I rebooted the Cisco (Cisco 2911), my tunnels would drop. I would have to do a “no ip route 192.168.161.0 255.255.255.0 Tunnel161” then “ip route 192.168.161.0 255.255.255.0 Tunnel161”
    and it worked.

    I fixed it by removing the ip unumbered portion and giving it an ip and now it works on reboot. So my Cisco CLI commands looked like this:

    interface Tunnel161
    ip address 172.30.0.1 255.255.255.252
    tunnel source 172.16.1.5
    tunnel destination 172.16.1.6
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile FG

  6. Help Please urgent
    how to convert this config from cisco to frtigate

    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 2
    crypto isakmp key Keeeeeeeey address 213.34.208.190
    crypto isakmp keepalive 10 periodic
    !
    !
    crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
    !
    crypto map Keeeeeeeey 10 ipsec-isakmp
    set peer 213.34.208.190
    set transform-set esp-aes-sha

    interface Tunnel0
    ip address 10.10.10.2 255.255.255.0
    tunnel source 195.112.209.210
    tunnel destination 213.34.197.241

Leave a Reply

Your email address will not be published. Required fields are marked *