Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4284
Views
0
Helpful
4
Replies

IPSEC between Fortinet and Cisco SA540

satish Chowdary
Level 1
Level 1

‎12-30-2012 09:09 PM - edited ‎02-21-2020 06:35 PM

Hi,

We have done the site to site VPN between Fortinet and Cisco SA540. Everything is configured at both ends but the tunnel is not establised. Can you help me out to resolve the issue.

Regards,

Satish.

Labels:
0 Helpful
4 Replies 4

jonatrod
Level 7
Level 7

‎01-02-2013 06:11 AM

Good morning

Thanks for using our forum

Hi Ven, my name is Johnnatan and I am part of the Small business Support community.

Ensure you have the same policies configured in both sites, and ensure you have the correct Adreeses or domains configured.  You can check some help in page 7

http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/administration/guide/SA500_AG_OL1911404.pdf

Ven if you have all these correct, let procesure with some toubleshooting steps:

1. Configure manually the VPN again, but this time using a diferent values in your VPN policies (DF, authentication and     encryption algorithm).

2. Disable the “Dead Peer Detection” in IKE policies,

3. Disable “PFS Key Group” in VPN policies PFS

4. Ensure Ipsec traffic is allowed in both sites: Go VPN > IPSec > Passthrough and ensure Ipsec is enable.

I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered. Please rate post you consider useful.

By the way, you have a small business device, you could post in Small Business Security so you can have more feedback on your case, more users will see it there. You can move your post using the actions panel on the right.

Have a nice day!!!!

Johnnatan Rodriguez Miranda.

Cisco network support engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.
0 Helpful

satish Chowdary
Level 1
Level 1
In response to jonatrod

‎01-02-2013 08:40 PM

Hi Johnnatan,

Thanks for your responce.

I did the same configuration on both ends. But the tunnel is not getting up. I didnt find where the issue is coming from.

Regards,

Satish.

0 Helpful

jonatrod
Level 7
Level 7
In response to satish Chowdary

‎01-03-2013 11:29 AM

Hi Venkatasatish, I have seen cases (Cisco ASA and fortinet 50B, SMB firewall and fortinet 50B), they could configured the VPN. However your  fortinet 50B is not a Cisco product and I don´t have the appropiate knowledge to configure your  fortinet 50B, however you can open a case with our engineer in order to resolve your problem.

https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

Greetings

Johnnatan Rodriguez Miranda.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.
0 Helpful

Fabio Jorge
Level 1
Level 1

‎01-03-2013 06:34 PM

  Hello Venkatasatish,

I gonna send you an example of VPN between Cisco ASA 8.2 version and Fortigate mr4.

In my example i gonna use the following environments:

Cisco ASA "Zones"

Inside: 192.168.1.0/24     "Asa inside interface Ip address 192.168.1.1"

Outside: 200.200.200.0/29  "Asa outside interface Ip address 200.200.200.1"

Fortigate "Zones"

inside: 172.16.1.0/24     "Asa inside interface Ip address 172.16.1.1"

outside: 201.201.201.0/29  "Asa outside interface Ip address 201.201.201.1"

=================================> VPN Script of ASA <=================================

access-list inside_access_in remark Firewall rule from ASA to Fortigate

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 log notifications

access-group inside_access_in in interface inside

!

access-list VPN_NONAT remark Nonat to VPN traffic over VPN

access-list VPN_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

!

access-list CryptoMap_ASA_to_Fortigate remark VPN Site-to-Site to Fortigate Site

access-list CryptoMap_ASA_to_Fortigate extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

!

nat (inside) 0 access-list VPN_NONAT

!

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map OUTSIDE_map 1 match address CryptoMap_ASA_to_Fortigate

crypto map OUTSIDE_map 1 set peer 201.201.201.1

crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

crypto map OUTSIDE_map 1 set security-association lifetime seconds 3600

crypto map OUTSIDE_map interface outside

!

group-policy GP_TO_FORTIGATE internal

group-policy GP_TO_FORTIGATE attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec

!

tunnel-group 201.201.201.1 type ipsec-l2l

tunnel-group 201.201.201.1 general-attributes

default-group-policy GP_TO_FORTIGATE

tunnel-group 201.201.201.1 ipsec-attributes

pre-shared-key cisco123

=================================> VPN Script for Fortigate ==============================

Phase 1:

FORTIGATE# config vpn ipsec phase1-interface  "enter"

FORTIGATE (phase1-interface) # edit 200.200.200.1 "enter"

        set interface "outside"

        set keylife 86400

        set mode main

        set dhgrp 2

        set proposal 3des-sha1

        set remote-gw 200.200.200.1

        set psksecret ENC cisco123

        next "to apply the configuration"

Phase 2

FORTIGATE# config vpn ipsec phase2-interface

    edit 200.200.200.1

        set keepalive enable

        set pfs disable

        set phase1name "200.200.200.1"

        set proposal 3des-sha1

        set dst-subnet 192.168.1.0 255.255.255.0

        set keylifeseconds 3600

        set src-subnet 172.16.1.0 255.255.255.0

        next "to apply the configuration"

Config route to VPN: I am using 100 entry, you need to take a look at your firewall.

FORTIGATE# config router static "enter"

FORTIGATE (static) # edit 100 "enter"

FORTIGATE (100) #  set device "200.200.200.1"

                   set distance 1

                   set dst 192.168.1.0 255.255.255.0

Create a Rule: in my example I´m using any to any over VPN, but you can to filter based on network environments.

FORTIGATE # config firewall policy "enter"

FORTIGATE (policy) # edit 100 "enter"

config firewall policy

    edit 100

        set srcintf "200.200.200.1"

        set dstintf "inside"

            set srcaddr "all"            

            set dstaddr "all"            

        set action accept

        set schedule "always"

            set service "ANY"            

        set logtraffic enable

        set comments "Access from VPN ASA site"

FORTIGATE (policy) # edit 101 "enter"

config firewall policy

    edit 101

        set srcintf "inside"

        set dstintf "200.200.200.1"

            set srcaddr "all"            

            set dstaddr "all"            

        set action accept

        set schedule "always"

            set service "ANY"            

        set logtraffic enable

        set comments "Access to VPN ASA Site"

After that, please start a traffic between private network, 192.168.1.0 and 172.16.1.0/24.

Please let me know about it!

Good luck.

Fabio Jorge Amorim

0 Helpful
Customers Also Viewed These Support Documents