IPsec/SSL VPN

ASA Route-Based VPN (VTI) with Fortigate Firewall

  • 1.  ASA Route-Based VPN (VTI) with Fortigate Firewall

     
    Posted Nov 20, 2019 12:50 AM

    Manny Fernandez

    Customer had a question about creating a route-based VPN between a Cisco ASA and a Fortigate.  Traditionally, the ASA has been a policy-based VPN which in my case, is extremely outdated.  With Route-Based VPNs, you have far more functionality such as dynamic routing.  In the case of ASA, it only supports BGP across the VPN whereas Fortigate can do BGP and OSPF.

    In this article, I will show the ASA configuration as well as the FortiGate Configuration.

     

    Network Diagram VTI v2.jpg

     

    ASA Configuration

    The following code is based on the order it needs to be when initially entering the configs.  It will not show up like this when you do the sh run

    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
    !
    crypto ipsec profile FortiProfile
    set ikev1 transform-set ESP-AES-256-MD5
    set pfs group5
    set security-association lifetime kilobytes 10000
    set security-association lifetime seconds 120
    !
    interface Tunnel100
     nameif route-based
     ip address 10.225.1.1 255.255.255.252 
     tunnel source interface outside
     tunnel destination 12.1.1.6
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile FortiProfile
    ! 
    object network SEC1
     subnet 10.221.1.0 255.255.255.0
    !
    object network SEC3
     subnet 10.223.1.0 255.255.255.0 
    !
    access-list crypto-to-SEC1 extended permit ip object SEC1 object SEC3 
    !
    nat (inside,outside) source static SEC1 SEC1 destination static SEC3 SEC3
    !
    route route-based 10.221.1.0 255.255.255.0 10.255.1.2 1
    !
    crypto ikev1 policy 10
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    !
    tunnel-group 12.1.1.6 type ipsec-l2l
    tunnel-group 12.1.1.6 ipsec-attributes
     ikev1 pre-shared-key Fortinet

    Lets break this down:

    2019-11-06_23-37-11.png

    The first thing you need to make sure is that your ASA is running the code that support VTI.  I believe it is 9.7. I am not sure on the

    2019-11-07_07-09-39.png

    If you do not already have a Transform-set created, you will need to create one.  I chose a random one I had already in the config.  Your mileage may vary.

    Next you will need to create the ipsec profile.  This defines the Phase II information for your VPN and will be reference later.  You CAN re-use it in another VPN if the values are OK.

    2019-11-07_07-10-17.png

    Once the ipsec profile is created, you can create the tunnel interface .  You can use any number from 1 to 100.  You will need to name the interface using the standard nameif command.  In my example, I used the name route-based.

    For the IP address, you will give it the IP address of the tunnel interface.  That is the IP address that will be used as a point-to-point address between the ASA and the FortiGate.

    2019-11-07_07-10-37.png

    The tunnel-group defines the pre-shared key and is based on IP address of the peer.

    2019-11-07_07-14-13.png

    On the ASA, you will need to define a non-nat statement.  Essentially this says to NAT SEC1 to SEC1 and SEC3 to SEC3 essentially saying that from SEC1 to SEC3 do NOT do NAT.

     

    Fortigate Configuration

    We will create a custom VPN configuration

    2019-11-07_06-38-19.png

    Since this is route-based, Phase II will be all 0.

    Ensure that you have the proper Phase I configuration

    On the ASA, we had the Phase I configuration as follows:

    Cisco

    crypto ikev1 policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400

    Fortinet

    2019-11-07_10-39-58.png

     

    2019-11-07_06-41-29.png

    Under the Policy & Objects then Addresses we will create the corresponding address object for the ASA LAN side (2.2.2.0) and we will enable the Static Route Configuration button which will allow us to create a static route that makes sense.

    2019-11-07_06-41-29.png

    2019-11-07_06-42-22.png

    We are going to create a static route.  We choose the Named Address  the drop down should show the object we created in the previous step.

    2019-11-07_06-43-13.png

    Choose the VPN as the Interface.

    2019-11-07_06-46-32.png

    The Fortigate will create a Tunnel Interface and by default, it will have an IP of 0.0.0.0/0

    2019-11-07_06-46-02.png

    Now create the policies.  Make sure the reverse rules are in place.

    Checking Tunnel Status

    On the Cisco, you can do sh crypto isa sa to see Phase I tunnels up.

    2019-11-07_07-00-39.png

    2019-11-07_07-01-08.png

    To see the Phase II, you can type sh cryp ipse sa peer x.x.x

    On the FortiGate

    Go to Monitor then IPsec Monitor

    Hope this helps.