FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rphulekar
Staff
Staff
Article Id 193371

Description

 

This article describes that this configuration example is a basic VPN setup between a FortiGate unit and a Cisco router, using a Virtual Tunnel Interface (VTI) on the Cisco router. The IPsec configuration is only using a Pre-Shared Key for security. XAUTH or Certificates should be considered for an added level of security. Only the relevant configuration has been included.
 
rphulekar_FD34846_img01.jpg 
 
When creating VPN configurations using the "interface-based VPN" on a FortiGate unit and the VTI on a Cisco router, it has the following advantages:
•  a more simple setup,
•  Proxy-ID/Quick Mode Selectors are not needed,
•  using a dynamic routing protocol (such as OSPF) is rather straightforward.
 
As an additional example, a BGP configuration in this scenario would be as simple as creating neighbor statements on each device.
 


Scope


Testbed platforms used in this scenario:
•  FortiGate unit running FortiOS firmware version 5.0.2.
•  Cisco router running IOS 15.0(1)M.
 

Solution

 

FortiGate IPsec VPN configuration:
 
config vpn ipsec phase1-interface
    edit "Cisco-VTI"
        set interface "port1"
        set dhgrp 2
        set proposal aes128-sha1
        set remote-gw 172.16.55.1
        set psksecret pass123
    next
end
config vpn ipsec phase2-interface
    edit "Cisco-P2-1"
        set phase1name "Cisco-VTI"
        set proposal aes128-sha1
        set dhgrp 2
    next
end
 
FortiGate VPN Interface configuration:
 
edit "Cisco-VTI"
        set vdom "root"
        set ip 192.168.111.1 255.255.255.255
        set allowaccess ping https ssh
        set type tunnel
        set remote-ip 192.168.111.2
        set interface "port1"
 

Note: 
The 'remote-ip' setting should be the IP address of the Tunnel interface (NOT PHYSICAL) on the Cisco router. This allows for PING, SSH, etc. to work correctly on the tunnel interface.
 
FortiGate firewall policy:

config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "Cisco-VTI"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "Cisco-VTI"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
 
Note: 
The source and destination addresses are set as 'all', however, they can be tightened up to specific subnets which is a good security practice. 
These two policies are mirrors of one another, so traffic can flow in either direction.
 
 
FortiGate OSPF configuration:
 
config router ospf
        config area
            edit 0.0.0.0
            next
        end
        config network
            edit 1
                set prefix 192.168.111.0 255.255.255.252
            next
        end
        config ospf-interface
            edit "Cisco-VTI"
                set interface "Cisco-VTI"
                set mtu-ignore enable
                set network-type point-to-point
            next
end
 
Note: 
The command 'set mtu-ignore enable' is needed for proper OSPF neighbor functions.
 
Cisco router configuration:
 
Note:
For authoritative guidance on the configuration of Cisco equipment, refer to the product documentation of that equipment. Note that Fortinet Technical Support can not provide any assistance with the configuration, operation, and troubleshooting of third-party equipment.
 
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key <password here> address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TRANS esp-aes esp-sha-hmac
!
crypto ipsec profile TO_FGT
 set transform-set TRANS
!
interface Tunnel0
 ip address 192.168.111.2 255.255.255.252
 ip ospf mtu-ignore
 tunnel source FastEthernet1/0
 tunnel mode ipsec ipv4
 tunnel destination <ip address of the FortiGate port1>
 tunnel protection ipsec profile TO_FGT
!
interface FastEthernet1/0
 ip address 172.16.55.1 255.255.255.0
 duplex auto
 speed auto
!
router ospf 10
 log-adjacency-changes
 network 192.168.111.0 0.0.0.3 area 0
 
Note: 
The 'ip ospf mtu-ignore' command is needed for proper OSPF neighbor functions.
 
 
Troubleshooting
 
By issuing 'get router info ospf neighbor' CLI command, the output below will be visible.
Without enabling MTU ignore on both devices, the OSPF neighbor will get stuck in 'ExStart' the state should read 'Full' under normal circumstances.
 
VPN-502 # get router info ospf neighbor
 
OSPF process 0:
Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   ExStart/ -      00:00:39    192.168.111.2   Cisco-VTI