Re: ASA <-> Fortigate IPSec VTI Issue

ggnogame1 · ‎05-13-2024

Hello, I am currently testing the IPSec Ikev2 VTI Based (routed-based) interworking of FPR2110 and 3rd party equipment (Fortigate) running ASA OS 9.18(3)56 as shown in the picture above.

I understand that in the process of creating a Tunnel interface when setting up IPSec VTI in ASA, IP must be assigned as follows. (192.168.255.1/30)

I also understand that when configuring a static route for end-to-end communication using IPSec Tunnel, you must specify the next-hop IP as follows.

(route IPSEC 200.200.200.0 255.255.255.0 192.168.255.2, where 192.168.255.2 is the remaining band of 192.168.255.0/30 allocated to the Tunnel Interface)

However, for Fortigate firewalls, creating a tunnel interface is the same, but it has been confirmed that there are no requirements at Fortigate such as assigning an IP to that tunnel like, assigning Next-hop IP when setting up static routing for IPSec End-to-End communication.

But also we have confirmed that IPSec end-to-end communication are normal, leaving behind the difference in IPSec configuration mechanisms between ASA and Fortigate.

I want to know about the role about '192.168.255.1' which the ASA should assign to the Tunnel0 interface in IPSec.
As a result of the actual test, the actual end-to-end communication was normal, even though the Fortigate Tunnel Interface did not set the ip separately.
(i.e., Fortigate did not allocate 192.168.255.2/30 and there are no settings related to it)
This means that the ASA can process IPSec packets normally even though it cannot perform routing lookup for 192.168.255.2, which is the next-hop during IPSec end-to-end communication.

As such, apart from IPSec interworking and communication normal, the customer is questioning the overall ASA restrictions and IPSec communication mechanisms when configuring IPSec, such as making sure to set IP to Tunnel and specifying next-hop when configuring static routing.
In the network configuration above, in the case of ASA, do I have to set IP on the Tunnel interface when using the IPSec VTI method? Or is there another way to configure IPSec without setting IP?

Please refer to the attached ASAv running-config log. Any questions other than that are welcome.

Thank you.

MHM Cisco World · ‎05-13-2024

In cisco the tunnel meaning vti

In other vendor the tunnel can meaning vti or legacy crypto map.

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/250464

MHM

ggnogame1 · ‎05-13-2024

Hello MHM Cisco World, thank you for your response.

We already know the difference between crypto-map (policy-based) and routed-based (VTI) methods.
In the current configuration, the IPsec Site-to-Site VPN is configured using a routed-based method for both Cisco ASA and Fortigate.
However, as I mentioned in the question, Fortigate does not need to configure IP on the tunnel interface when configuring a Site-to-Site IPSec VPN or next-hop when configuring Static Routing for IPSec End-to-End communication,
In Cisco ASA, you must configure IP on the Tunnel interface (Tunnel0 in the above example) or next-hop IP when you configure Static Routing.

I wonder if ASA can configure Site-to-Site VPN without setting IP on Tunnel interface, or if IP must be configured, what is the role of that ip in IPSec communication?

Thank you.

MHM Cisco World · ‎05-13-2024

in ASA S2S route-based VPN

Need IP for tunnel for

Static route

Any other IGP (ospf/eigrp) or BGP.

It mandatory.

You can use any IP not need to be specific subnet.

MHM

ggnogame1 · ‎05-13-2024

Hello MHM Cisco World, thank you for your response.

"You can use any IP not needed to be a specific subnet." Is the IP to be used for Tunnel0 supposed to be an independent subnet that is not in use by the internal network? (Of course it is, but I'm asking just in case.)

And it's still hard to understand the role of IPs that are assigned to Tunnel0. I understood that when implementing GRE Tunneling, IPs should be assigned to that GRE Tunnel interface, but what role does this IP have in the case of a regular S2S IPSec Tunnel?

Thanks.

MHM Cisco World · ‎05-13-2024

Policy based VPN the interest traffic hit the acl

Route based VPN not use ACL use routing via tunnel to protect it' so we need routing for route based'

Routing traffic toward tunnel need tunnel to have IP

For example

Route VTI x.x.x.x x.x.x.x <next-hop>

Next-hop is tunnel peer IP.

This only for ASA/FTD for cisco ios xe you can use LO as tunnel IP and use tunnel in static route without use next-hop.

MHM