Fortigate to ASA VPN Solutions

Introduction

Site to site VPNs are a common feature of many organizations which commonly have to create connections between multiple different vendors. Here we will go through the process of introducing a Fortigate Firewall into a Cisco ASA environment to facilitate the migration from the Cisco ASA platform to the Fortinet Fortigate Firewall. What we will discuss here are the steps to deploy the below.

  • IKEv1 IPSec tunnel configuration on the Fortigate Firewall
  • IKEv2 IPSec tunnel configuration on the Fortigate Firewall

 

While IKEv1 is now considered a legacy protocol, it is still widely deployed and therefore worth exploring the deployment. In the instance where a migration away from IKEv1 is feasible or if a new deployment is occurring, IKEv2 should be the approach chosen. In our topology we will be exploring both options as shown in the diagram below.

Base Fortigate Configuration

The first thing we will need to do is get our Fortigate into a working condition. The basic requirements to get the Fortigate ready for the IPSec configuration is to complete the following.

  • LAN interface configuration – these are the interfaces which will have traffic encrypted.
  • WAN interface configuration – this is the interface over which the tunnel will traverse.
  • Routing – we need routing in place to direct the traffic toward the peer so the endpoints are reachable and the tunnel can form.

Interfaces

The first interfaces we will configure are the LAN interfaces, in this case that is VLANs 1400 and 1401 as per the topology diagram. These networks are connected to a switch connected on “Port1”.

config system interface

               edit “vlan1400”

                              set vdom “root”

                              set ip 10.100.100.1 255.255.255.0

                              set allowaccess ping https ssh

                              set device-identification enable

                              set role lan

                              set snmp-index 9

                              set interface “port1”

                              set vlanid 1400

               next

end

config system interface

               edit “vlan1401”

                              set vdom “root”

                              set ip 10.100.200.1 255.255.255.0

                              set allowaccess ping https ssh

                              set device-identification enable

                              set role lan

                              set snmp-index 9

                              set interface “port1”

                              set vlanid 1400

               next

end

The next interface we need to configure is the WAN interface, which is connected to “Port2” in this instance.

config system interface

               edit “port2”

                              set vdom “root”

                              set ip 10.100.200.1 255.255.255.0

                              set allowaccess ping

                              set type physical

                              set snmp-index 2

               next

end

Basic Routing

We need to configure default routing for the Fortigate to reach the internet to build the IPSec tunnels over. This simply constitutes a static default route configured as per the below with the Gateway being the ISP NTE.

config router static

               edit 1

                              set gateway 192.0.2.1

                              set device “port2”

               next

end

IPSec VPN Configuration

Now that we have configured the Base configuration, we can move on the the next steps to enable communication to the remote sites. Our remote sites consist of one site with an IKEv1 implementation and one site with an IKEv2 implementation.

IPSec IKEv1 Phase 1

For the first site we need to configure the Phase1 IKEv1 protocol. The important note is to ensure that there is a match in the below fields.

  • Pre-shared Key: in this instance we are using a pre shared key, however whatever authentication is used it has to be agreed by both sides of the tunnel
  • Proposal: the tunnel peers will need to agree a proposal for encryption, hashing and also DH group. The default listed DH groups for IKEv1 phase1 tunnels are 5 and 14 and as such are only listed in the ‘.
  • The remote-gw needs to match the remote peers internet facing address as an endpoint to build the tunnel over.

 

config vpn ipsec phase1

               edit “Site1-VPN”

                              set interface “port2”

                              set peertype any

                              set proposal aes256-sha1

                              set remote-gw 198.51.100.2

                              set psksecret <secret>

               next

end

IPSec IKEv2 Phase 1

Much like the IKEv1 Phase 1 configuration there needs to be matching proposals, keys and the remote-gw needs to be the tunnel peer. It is also worth noting that to create an IKEv2 phase 1 tunnel the version must be specified.

config vpn ipsec phase1

               edit “Site2-VPN”

                              set interface “port2”

                              set ike-version 2

                              set peertype any

                              set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 aes256-sha256

                              set dhgrp 19

                              set remote-gw 203.0.113.2

                              set psksecret <secret>

               next

end

IPSec Phase 2

When a VPN tunnel is created the crypto engine creates Security Parameter Index (SPI) numbers to track the VPNs and add to the tunnel IP Packet header, As we are building VPN tunnels to a Cisco ASA deployment for a migration activity, we need to create a phase 2 tunnel per subnet. This is due to the behaviour of the Cisco ASA in that it expects an SPI per subnet, whereas Fortigates will use a single SPI for all Phase 2 tunnels to a single endpoint. Below we have the Phase 2 configuration for the IKEv1 VPN to “Site-1”. We need a phase 2 for these subnets.

  • 100.100.0/24 -> 10.10.10.0/24
  • 100.100.0/24 -> 10.10.20.0/24
  • 100.200.0/24 -> 10.10.10.0/24
  • 100.200.0/24 -> 10.10.20.0/24

 

We are also required to match the phase 2 proposal and if Perfect Forwarding Secrecy (PFS) is in use, that needs to be enabled. We are not using PFS in this instance so we have disabled this feature.

config vpn ipsec phase2

               edit “Site1-VPN-1”

                              set phase1name “Site1-VPN”

                              set proposal aes256-sha1

                              set pfs disable

                              set src-subnet 10.100.100.0 255.255.255.0

                              set dst-subnet 10.10.10.0 255.255.255.0

               next

end

config vpn ipsec phase2

               edit “Site1-VPN-2”

                              set phase1name “Site1-VPN”

                              set proposal aes256-sha1

                              set pfs disable

                              set src-subnet 10.100.100.0 255.255.255.0

                              set dst-subnet 10.10.20.0 255.255.255.0

               next

end

config vpn ipsec phase2

               edit “Site1-VPN-3”

                              set phase1name “Site1-VPN”

                              set proposal aes256-sha1

                              set pfs disable

                              set src-subnet 10.100.200.0 255.255.255.0

                              set dst-subnet 10.10.10.0 255.255.255.0

               next

end

config vpn ipsec phase2

               edit “Site1-VPN-4”

                              set phase1name “Site1-VPN”

                              set proposal aes256-sha1

                              set pfs disable

                              set src-subnet 10.100.200.0 255.255.255.0

                              set dst-subnet 10.10.20.0 255.255.255.0

               next

end

Now we need to build the Phase 2 configuration for the IKEv2 tunnels. We need to create Phase 2 tunnels for these subnets.

  • 100.100.0/24 -> 10.10.30.0/24
  • 100.100.0/24 -> 10.10.40.0/24
  • 100.200.0/24 -> 10.10.30.0/24
  • 100.200.0/24 -> 10.10.40.0/24

config vpn ipsec phase2

               edit “Site2-VPN-1”

                              set phase1name “Site2-VPN”

                              set proposal aes256-sha256 aes256-sha512

                              set pfs disable

                              set src-subnet 10.100.100.0 255.255.255.0

                              set dst-subnet 10.10.30.0 255.255.255.0

               next

end

config vpn ipsec phase2

               edit “Site2-VPN-2”

                              set phase1name “Site2-VPN”

                              set proposal aes256-sha256 aes256-sha512

                              set pfs disable

                              set src-subnet 10.100.100.0 255.255.255.0

                              set dst-subnet 10.10.40.0 255.255.255.0

               next

end

config vpn ipsec phase2

               edit “Site2-VPN-3”

                              set phase1name “Site2-VPN”

                              set proposal aes256-sha256 aes256-sha512

                              set pfs disable

                              set src-subnet 10.100.200.0 255.255.255.0

                              set dst-subnet 10.10.30.0 255.255.255.0

               next

end

config vpn ipsec phase2

               edit “Site2-VPN-4”

                              set phase1name “Site2-VPN”

                              set proposal aes256-sha256 aes256-sha512

                              set pfs disable

                              set src-subnet 10.100.200.0 255.255.255.0

                              set dst-subnet 10.10.40.0 255.255.255.0

               next

end

Firewall Policies

We will now need to configure firewall policies to allow traffic to traverse the tunnel. The first step is to create a series of objects to use in the firewall policies. These objects only need to represent the remote end in our example, as we are encrypting all traffic from the VLAN interfaces which needs to be sent to the remote subnets.

config firewall address

               edit “10.10.10.0”

                              set subnet 10.10.10.0 255.255.255.0

               next

end

config firewall address

               edit “10.10.20.0”

                              set subnet 10.10.20.0 255.255.255.0

               next

end

config firewall address

               edit “10.10.30.0”

                              set subnet 10.10.30.0 255.255.255.0

               next

end

config firewall address

               edit “10.10.40.0”

                              set subnet 10.10.40.0 255.255.255.0

               next

end

Now we have the objects configured, we move on to creating the firewall policies. We need a policy defined for each local subnet to each remote subnet across both IPSec tunnels to Site-1 and Site-2. This traffic needs to have an action defined to encrypt the traffic in the IPSec tunnel and as such needs to be pointed to the previously defined phase 1 tunnel.

We have policies defined for these traffic flows.

  • 100.100.0/24 -> 10.10.10.0/24
  • 100.100.0/24 -> 10.10.20.0/24
  • 100.100.0/24 -> 10.10.30.0/24
  • 100.100.0/24 -> 10.10.40.0/24
  • 100.200.0/24 -> 10.10.10.0/24
  • 100.200.0/24 -> 10.10.20.0/24
  • 100.200.0/24 -> 10.10.30.0/24
  • 100.200.0/24 -> 10.10.40.0/24

config firewall policy

               edit 1

                              set srcintf “vlan1400”

                              set dstintf “port2”

                              set action ipsec

                              set srcaddr “all”

                              set dstaddr “10.10.10.0”

                              set schedule “always”

                              set service “ALL”

                              set inbound enable

                              set vpntunnel “Site1-VPN”

               next

end

config firewall policy

               edit 2

                              set srcintf “vlan1400”

                              set dstintf “port2”

                              set action ipsec

                              set srcaddr “all”

                              set dstaddr “10.10.20.0”

                              set schedule “always”

                              set service “ALL”

                              set inbound enable

                              set vpntunnel “Site1-VPN”

               next

end

config firewall policy

               edit 3

                              set srcintf “vlan1401”

                              set dstintf “port2”

                              set action ipsec

                              set srcaddr “all”

                              set dstaddr “10.10.10.0”

                              set schedule “always”

                              set service “ALL”

                              set inbound enable

                              set vpntunnel “Site1-VPN”

               next

end

config firewall policy

               edit 3

                              set srcintf “vlan1401”

                              set dstintf “port2”

                              set action ipsec

                              set srcaddr “all”

                              set dstaddr “10.10.20.0”

                              set schedule “always”

                              set service “ALL”

                              set inbound enable

                              set vpntunnel “Site1-VPN”

               next

end

config firewall policy

               edit 11

                              set srcintf “vlan1400”

                              set dstintf “port2”

                              set action ipsec

                              set srcaddr “all”

                              set dstaddr “10.10.30.0”

                              set schedule “always”

                              set service “ALL”

                              set inbound enable

                              set vpntunnel “Site2-VPN”

               next

end

config firewall policy

               edit 12

                              set srcintf “vlan1400”

                              set dstintf “port2”

                              set action ipsec

                              set srcaddr “all”

                              set dstaddr “10.10.40.0”

                              set schedule “always”

                              set service “ALL”

                              set inbound enable

                              set vpntunnel “Site2-VPN”

               next

end

config firewall policy

               edit 13

                              set srcintf “vlan1401”

                              set dstintf “port2”

                              set action ipsec

                              set srcaddr “all”

                              set dstaddr “10.10.30.0”

                              set schedule “always”

                              set service “ALL”

                              set inbound enable

                              set vpntunnel “Site2-VPN”

               next

end

config firewall policy

               edit 13

                              set srcintf “vlan1401”

                              set dstintf “port2”

                              set action ipsec

                              set srcaddr “all”

                              set dstaddr “10.10.40.0”

                              set schedule “always”

                              set service “ALL”

                              set inbound enable

                              set vpntunnel “Site2-VPN”

               next

end

Verification

We can verify that the tunnels have been built using the below command – ‘diagnose vpn tunnel list’. This will provide the following output, we can see all the details about the tunnels, including the source and destination subnets, and also the fact that packets are being encrypted and decrypted, among other things.

Here we have the verification for the Site-1 IKEv1 VPN

This is the verification of the Site-2 IKEv2 VPN