IPsec Site-to-Site VPN FortiGate <-> Cisco ASA

Following is a step-by-step tutorial for a site-to-site VPN between a Fortinet FortiGate and a Cisco ASA firewall. I am showing the screenshots of the GUIs in order to configure the VPN, as well as some CLI show commands.

Since the Cisco ASA only supports policy-based VPNs, the proxy-IDs (phase 2 selectors) must be used on the FortiGate, too. Furthermore, the ASA only supports Diffie-Hellman group 5 (and not 14), as well as SHA-1 (and not SHA-256) for IKEv1.

I am running a FortiWiFi 90D (v5.2.2) and a Cisco ASA 5505 (9.2(3)) in my lab.

Lab

This is the lab for the tutorial:

S2S VPN FortiGate - Cisco ASA Laboratory

FortiGate

Here are the screenshots from the Forti GUI. Refer to the descriptions for more details:

Cisco ASA

Similar for the ASA:

Monitoring

Both firewalls can be monitored via the GUI:

Or via some CLI commands. FortiGate:

 

Cisco ASA:

 

And one more time, note that the ASA only implements policy-based VPNs. That is, the route in the routing table is NOT correct!! In my lab, the remote network behind the FortiGate (192.168.161.0/24) is also propagated via OSPF, while traffic passing to that network leaves via the VPN tunnel and not via this misleading routing entry:

 

2 thoughts on “IPsec Site-to-Site VPN FortiGate <-> Cisco ASA

Leave a Reply

Your email address will not be published. Required fields are marked *