Created on 11-30-2007 12:00 AM
Introduction | This article describes how to configure an IPSec VPN on a FortiGate unit to work with a Cisco PIX firewall. | ||||||||||||||||||||||||||
Components |
| ||||||||||||||||||||||||||
Network Diagram |
| ||||||||||||||||||||||||||
Prerequisites |
| ||||||||||||||||||||||||||
Configure FortiGate VPN Phase 1 |
To configure using the Web-based Manager
To configure using the CLI:Using the example configuration, enter the following commands. config vpn ipsec phase1 edit "GW-FG-PIX" set interface wan1 set dpd disable set dhgrp 2 set proposal 3des-sha1 set keylife 86400 set remote-gw 203.200.216.194 set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX end | ||||||||||||||||||||||||||
Configure FortiGate VPN Phase 2 |
When you configure the IPSec VPN phase 2, you set the source selector to the private network behind the FortiGate unit, and set the destination selector to the private network behind the Cisco appliance. To configure using the Web-based Manager
Using the CLIUsing the example configuration, enter the following commands. config vpn ipsec phase2 edit Tunnel-FG-PIX set dhgrp 5 set keepalive enable set phase1name GW-FG-PIX set proposal 3des-sha1 set pfs disable set replay disable set keylife-type seconds set keylifeseconds 86400 set src-addr-type subnet set src-subnet 10.1.4.0 255.255.255.0 set dst-addr-type subnet set dst-subnet 192.192.192.0 255.255.255.0 end | ||||||||||||||||||||||||||
Configure FortiGate Firewall Addresses |
Create firewall addresses for the private networks at either end of the VPN. To configure using the Web-based Manager
Using the CLIUsing the example configuration, enter the following commands. config firewall address edit "LocalLAN" set subnet 10.1.4.0 255.255.255.0 next edit "Site2_net" set subnet 192.192.192.0 255.255.255.0 end |
||||||||||||||||||||||||||
Configure FortiGate Firewall Policy |
The IPSec firewall policy allows communication in both directions between hosts on the network behind the FortiGate unit and hosts behind the Cisco appliance. To configure using the Web-based Manager
Using the CLIUsing the example configuration, enter the following commands. config firewall policy edit 1 set srcintf internal set dstintf wan1 set srcaddr LocalLAN set dstaddr Site2_net set action ipsec set inbound enable set outbound enable set natinbound disable set natoutbound disable set schedule always set service ANY set vpntunnel GW-FG-PIX end |
||||||||||||||||||||||||||
Configure Cisco appliance |
This Cisco PIX appliance is configured using its CLI. To configure Cisco PIX Phase 1, enter the following commands: isakmp enable outside isakmp key ******* address 61.95.205.173 netmask 255.255.255.255 isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 To configure Cisco PIX Phase 2, enter the following: crypto ipsec transform-set fortinet esp-3des esp-sha-hmac crypto map test 10 ipsec-isakmp crypto map test 10 match address BGLR crypto map test 10 set peer 61.95.205.173 crypto map test 10 set transform-set fortinet cryto map test interface outside crypto map test 10 set security-association lifetime seconds 86400 Additional Cisco PIX PoliciesSet access control list (ACL) for desired VPN traffic and bypass NAT: access-list BGLR permit ip 192.192.192.0 255.255.255.0 10.1.4.0 255.255.255.0 nat (inside) 0 access-list BGLR sysopt connection permit-ipsec | ||||||||||||||||||||||||||
Testing the VPN |
You can test the VPN by pinging addresses on the remote LAN. You can also use the following commands to verify VPN operation:
| ||||||||||||||||||||||||||
Troubleshooting |
FortiGate debug commandsdiag debug enable diag debug appli ike 2 Displays the phase 1 and phase 2 negotiations Cisco PIX debug commands
|
Related Articles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.