FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 193253
Article
Introduction This article describes how to configure an IPSec VPN on a FortiGate unit to work with a Cisco PIX firewall.
Components
  • FortiGate unit with FortiOS v3.0 firmware, MR5 Patch 2 or later
  • Cisco PIX with IOS version 6.3(1) or 6.3(3)
Network Diagram
ddouglas_13574_13574-diagram.JPG
Prerequisites
  • The FortiGate unit must be in NAT mode.
Configure FortiGate VPN Phase 1

To configure using the Web-based Manager

  1. Go to VPN > IPSec > Auto-Key and select Phase 1.
  2. Enter the following:
    Name VPN name. For example, GW-FG-PIX.
    Remote Gateway Static IP Address
    IP Address The public IP address of the Cisco appliance.
    For example, 203.200.216.194
    Local Interface The interface that connects to the remote VPN: WAN1
    Mode Main (default)
    Authentication Method Preshared Key
    Pre-shared Key The same preshared key configured on the Cisco appliance.

    Note that from v5.2.x the Pre-Shared key must be a minimum of 6 characters in length.  If upgrading from a lower version then the Pre-Shared key must be extended in order for the tunnel to work properly.
  3. Select Advanced and enter the following:
    Enable IPSec Interface Mode Disable
    P1 Proposal 1 - Encryption 3DES, Authentication SHA1 (default)
    Delete proposal 2
    DH Group 2
    Keylife 86400 (default)
    Nat-traversal Disable
    Dead Peer Detection Disable
  4. Select OK.

To configure using the CLI:

Using the example configuration, enter the following commands.

config vpn ipsec phase1
  edit "GW-FG-PIX"
    set interface wan1
    set dpd disable
    set dhgrp 2
    set proposal 3des-sha1
    set keylife 86400
    set remote-gw 203.200.216.194
    set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  end
Configure FortiGate VPN Phase 2

When you configure the IPSec VPN phase 2, you set the source selector to the private network behind the FortiGate unit, and set the destination selector to the private network behind the Cisco appliance.

To configure using the Web-based Manager

  1. 1. Go to VPN > IPSec > Auto-Key and select Phase 2.
  2. Enter the following:
    Name A name for the VPN Phase 2 configuration. For example, Tunnel-FG-PIX.
    Phase 1 Phase 1 configuration name: GW-FG-PIX
  3. Select Advanced and enter the following:
    P2 Proposal 1 - Encryption 3DES, Authentication SHA1
    Delete proposal 2
    Enable replay detection   Disable
    Enable perfect forward secrecy Disable
    DH Group 5
    Keylife 86400 seconds
    Autokey Keep Alive Enable
    Source Address 10.1.4.0/24
    Destination Address 192.192.192.0/24
  4. Select OK.

Using the CLI

Using the example configuration, enter the following commands.

config vpn ipsec phase2
  edit Tunnel-FG-PIX
    set dhgrp 5
    set keepalive enable
    set phase1name GW-FG-PIX
    set proposal 3des-sha1
    set pfs disable
    set replay disable
    set keylife-type seconds
    set keylifeseconds 86400
    set src-addr-type subnet
    set src-subnet 10.1.4.0 255.255.255.0
    set dst-addr-type subnet
    set dst-subnet 192.192.192.0 255.255.255.0
  end
Configure FortiGate Firewall Addresses

Create firewall addresses for the private networks at either end of the VPN.

To configure using the Web-based Manager

  1. Go to Firewall > Address and select Create New.
  2. Enter the following:
    Address Name A name for the address. For example:
    "LocalLAN" for the network behind the FortiGate unit.
    "Site2_net" for the network behind the Cisco appliance.
    Type Subnet/IP Range
    Subnet/IP Range The network address and subnet mask. For example,
    Enter "10.1.4.0 255.255.255.0" for LocalLAN.
    Enter "192.192.192.0 255.255.255.0" for Site2_net.
  3. Select OK.

Using the CLI

Using the example configuration, enter the following commands.

config firewall address
  edit "LocalLAN"
    set subnet 10.1.4.0 255.255.255.0
  next
  edit "Site2_net"
    set subnet 192.192.192.0 255.255.255.0
  end
Configure FortiGate Firewall Policy

The IPSec firewall policy allows communication in both directions between hosts on the network behind the FortiGate unit and hosts behind the Cisco appliance.

To configure using the Web-based Manager

  1. Go to Firewall > Policy and select Create New.
  2. Enter the following:
    Source Interface/Zone The interface connected to the local network: internal.
    Source Address The firewall address of the local network: LocalLAN.
    Destination Interface/Zone The interface that connects to the remote network: WAN1.
    Destination Address The firewall address of the remote network: Site2_net.
    Schedule always
    Service ANY
    Action IPSEC
    VPN Tunnel GW-FG-PIX
    Allow inbound Enable
    Allow outbound Enable
    Inbound NAT Disable
    Outbound NAT Disable
  3. Select OK.

Using the CLI

Using the example configuration, enter the following commands.

config firewall policy
  edit 1
    set srcintf internal
    set dstintf wan1
    set srcaddr LocalLAN
    set dstaddr Site2_net
    set action ipsec
    set inbound enable
    set outbound enable
    set natinbound disable
    set natoutbound disable
    set schedule always
    set service ANY
    set vpntunnel GW-FG-PIX
  end
Configure Cisco appliance

This Cisco PIX appliance is configured using its CLI.

To configure Cisco PIX Phase 1, enter the following commands:

isakmp enable outside
isakmp key ******* address 61.95.205.173 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

To configure Cisco PIX Phase 2, enter the following:

crypto ipsec transform-set fortinet esp-3des esp-sha-hmac
crypto map test 10 ipsec-isakmp
crypto map test 10 match address BGLR
crypto map test 10 set peer 61.95.205.173
crypto map test 10 set transform-set fortinet
cryto map test interface outside
crypto map test 10 set security-association lifetime seconds 86400

Additional Cisco PIX Policies

Set access control list (ACL) for desired VPN traffic and bypass NAT:

access-list BGLR permit ip 192.192.192.0 255.255.255.0 10.1.4.0 255.255.255.0
nat (inside) 0 access-list BGLR
sysopt connection permit-ipsec
Testing the VPN

You can test the VPN by pinging addresses on the remote LAN. You can also use the following commands to verify VPN operation:

diag vpn tunnel list On the FortiGate unit, lists operating VPN tunnels
show crypto isakmp sa  On the Cisco PIX appliance, shows the Phase 1 security associations
show crypto ipsec sa On the Cisco PIX appliance, shows the Phase 2 security associations
Troubleshooting

FortiGate debug commands

diag debug enable
diag debug appli ike 2

Displays the phase 1 and phase 2 negotiations

Cisco PIX debug commands

debug crypto isakmp  Displays messages about IKE events
debug crypto ipsec Displays information about IPSec events

Related Articles

List of articles about Fortigate IPSec VPN interoperability