How to Configure IPsec VPN between Cisco FTD/FMC and Fortinet Firewall

This post is about configuring IPsec VPN between Cisco FTD/FMC Firepower and Fortinet FortiGate firewall

Environment

Cisco FTD firewall on routed mode and managed by FMC

Fortinet FortiGate Firewall

Note: Feel free to modify the Phase1 and Phase2 settings based on your security requirements

Fortinet FortiGate Firewall Configuration

Go to “VPN – IPsec Tunnels – Create New – IPsec Tunnel”, give it a name and select “Custom”

Configure the VPN Tunnels as below

Network
Authentication /IKE
Phase1 Proposal
Phase2 Selectors

Please make sure “Relay Detection” and “PFS” are DISABLED

Add new security policies to allow inter-site traffic
Add new routes so the firewall knows how to route the traffic

Cisco FMC/FTD Configuration

log into Cisco FMC, go to “Objects – VPN – IKEv1 Policy” and configure the same encryption/hash/DH group as what you did in FortiGate firewall

Configure the Phase 2 IPsec policy

Go to ” Devices – Site to Site” and add your VPN

In this example, I am adding a “spoke” location under this “Policy Based (Crypto Map) topology

Add new spoke nodes and add FortiGate public IP and remote network object(s)

Make sure the pre-configure IKEv1 policy is selected under IKE Phase1 configuration

Make sure IPsec Phase2 policy is selected and lifetime etc is the same as on FortiGate Firewall

Advanced setting under VPN Topology

Add needed “NO-NAT” rules so anything inter-site traffic towards FortiGate Remote network is NOT “NATed”

Troubleshooting

IPsec tunnel does not turn up and Fortinet has error “IPsec phase 1 error” or “no proposal chosen”, when you try to bring up the IPsec on from Fortinet GUI, only phase 1 is green. In my case the issue is PFS and “Relay Detection” and “PFS” are enabled.

Turn both features off to fix the issue

Useful link

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_site_to_site_vpns.html

Leave a Comment

Your email address will not be published. Required fields are marked *