IPsec Site-to-Site VPN FortiGate Cisco Router

This blog post shows how to configure a site-to-site IPsec VPN between a FortiGate firewall and a Cisco router. The FortiGate is configured via the GUI – the router via the CLI. I am showing the screenshots/listings as well as a few troubleshooting commands.

The VPN tunnel shown here is a route-based tunnel. That is, I do NOT use proxy-ids in phase 2 for the routing decision (which would be policy-based), but tunnel-interfaces and static routes. This applies to both devices.

The FortiGate firewall in my lab is a FortiWiFi 90D (v5.2.2), the Cisco router an 2811 with software version 12.4(24)T8.

Lab

The following figure shows the lab for this VPN:

Image may be NSFW.
Clik here to view.

FortiGate

These are the steps for the FortiGate firewall. Refer to the descriptions under the screenshots for further details:

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Cisco Router

The Cisco router ist configured with the following commands:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 14
 lifetime 28800
crypto isakmp key ZByLKnMxmohpNLBPAgwckJhY address 172.16.1.6
crypto isakmp keepalive 10 5
!
crypto ipsec transform-set aes256-sha esp-aes 256 esp-sha-hmac
!
crypto ipsec profile FG
 set transform-set aes256-sha
 set pfs group14
!
interface Tunnel161
 ip unnumbered FastEthernet0/1.151
 tunnel source 172.16.1.5
 tunnel destination 172.16.1.6
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile FG
!
ip route 192.168.161.0 255.255.255.0 Tunnel161

Monitoring

The FortiGate has an IPsec Monitor status of “Up”,

Image may be NSFW.
Clik here to view.

and can be queried via the CLI, too:

fd-wv-fw04 # get vpn ike gateway fd-wv-ro03

vd: root/0
name: fd-wv-ro03
version: 1
interface: wan1 6
addr: 172.16.1.6:500 -> 172.16.1.5:500
created: 1789239s ago
IKE SA  created: 1/63  established: 1/63  time: 380/461/2480 ms
IPsec SA  created: 1/514  established: 1/514  time: 360/382/590 ms

  id/spi: 20213 7369fa8ea50b4193/15f1b4d8a7818977
  direction: initiator
  status: established 22210-22210s ago = 380ms
  proposal: aes-256-sha1
  key: 2a0a6784e29fbe70-ade0d6d6a368bdca-5e81890d77f7ca7a-db7e9f75c746aa94
  lifetime/rekey: 28800/6289
  DPD sent/recv: 000d1c3e/4f447f71

fd-wv-fw04 #
fd-wv-fw04 #
fd-wv-fw04 # get vpn ipsec tunnel name fd-wv-ro03

gateway
  name: 'fd-wv-ro03'
  type: route-based
  local-gateway: 172.16.1.6:0 (static)
  remote-gateway: 172.16.1.5:0 (static)
  mode: ike-v1
  interface: 'wan1' (6)
  rx  packets: 1584  bytes: 199840  errors: 0
  tx  packets: 1595  bytes: 135078  errors: 0
  dpd: enabled/negotiated  idle: 5000ms  retry: 3  count: 0
  selectors
    name: 'fd-wv-ro03'
    auto-negotiate: disable
    mode: tunnel
    src: 0:0.0.0.0/0.0.0.0:0
    dst: 0:0.0.0.0/0.0.0.0:0
    SA
      lifetime/rekey: 3600/923
      mtu: 1438
      tx-esp-seq: 600
      replay: enabled
      inbound
        spi: c97b0d54
        enc:     aes  43821ea396d91c75a865fa39ceb11dbae01761965f5c259c8ff08288034a2951
        auth:   sha1  e3b74f75ee315f3a6bb6c08f820fd7326e6efa1e
      outbound
        spi: 5ffae69c
        enc:     aes  8b4721951aa7878a50c865f1853fd55944dfc514e7f12fee8288d458f3aa8b64
        auth:   sha1  f8905c11627d73bd643bda374f8a6214dbc12281
      NPU acceleration: encryption(outbound) decryption(inbound)

The Cisco router show commands are the following:

fd-wv-ro03#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

1195  172.16.1.5      172.16.1.6               ACTIVE aes  sha  psk  14 01:46:56 D
       Engine-id:Conn-id =  SW:195

IPv6 Crypto ISAKMP SA

fd-wv-ro03#
fd-wv-ro03#
fd-wv-ro03#show crypto ipsec sa peer 172.16.1.6

interface: Tunnel161
    Crypto map tag: Tunnel161-head-0, local addr 172.16.1.5

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.16.1.6 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1856, #pkts encrypt: 1856, #pkts digest: 1856
    #pkts decaps: 1855, #pkts decrypt: 1855, #pkts verify: 1855
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 1

     local crypto endpt.: 172.16.1.5, remote crypto endpt.: 172.16.1.6
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xC97B0D54(3380284756)
     PFS (Y/N): Y, DH group: group14

     inbound esp sas:
      spi: 0x5FFAE69C(1610278556)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2737, flow_id: NETGX:737, sibling_flags 80000046, crypto map: Tunnel161-head-0
        sa timing: remaining key lifetime (k/sec): (4506750/791)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC97B0D54(3380284756)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2738, flow_id: NETGX:738, sibling_flags 80000046, crypto map: Tunnel161-head-0
        sa timing: remaining key lifetime (k/sec): (4506750/791)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
fd-wv-ro03#
fd-wv-ro03#
fd-wv-ro03#show ip route static
S    192.168.161.0/24 is directly connected, Tunnel161

Ciao.