This post is about configuring IPsec VPN between Cisco FTD/FMC Firepower and Fortinet FortiGate firewall
Environment
Cisco FTD firewall on routed mode and managed by FMC
Fortinet FortiGate Firewall
Note: Feel free to modify the Phase1 and Phase2 settings based on your security requirements
Fortinet FortiGate Firewall Configuration
Go to “VPN – IPsec Tunnels – Create New – IPsec Tunnel”, give it a name and select “Custom”
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-fortigate-ipsec-vpn-creation-wizard.png)
Configure the VPN Tunnels as below
Network
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-fortigate-ipsec-vpn-network-ip-address-remote-gateway.png)
Authentication /IKE
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-fortigate-ipsec-vpn-phase1-authentication-ike-main.png)
Phase1 Proposal
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-fortigate-ipsec-vpn-phase1-proposal.png)
Phase2 Selectors
Please make sure “Relay Detection” and “PFS” are DISABLED
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-fortigate-ipsec-vpn-phase2-selectors.png)
Add new security policies to allow inter-site traffic
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-fortigate-ipsec-vpn-security-policy-1024x61.png)
Add new routes so the firewall knows how to route the traffic
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-fortigate-ipsec-vpn-static-routes-1024x267.png)
Cisco FMC/FTD Configuration
log into Cisco FMC, go to “Objects – VPN – IKEv1 Policy” and configure the same encryption/hash/DH group as what you did in FortiGate firewall
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-objects-vpn-ikev1-policy-1024x816.png)
Configure the Phase 2 IPsec policy
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-objectes-vpn-ikev1-ipsec-proposal-1024x816.png)
Go to ” Devices – Site to Site” and add your VPN
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-ftd-devices-site-to-site.png)
In this example, I am adding a “spoke” location under this “Policy Based (Crypto Map) topology
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-ftd-edit-vpn-topology-policy-based-hub-and-spoke-1024x640.png)
Add new spoke nodes and add FortiGate public IP and remote network object(s)
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-ftd-site-to-site-vpn-edit-endpoint-1024x668.png)
Make sure the pre-configure IKEv1 policy is selected under IKE Phase1 configuration
![](https://ictfella.com/wp-content/uploads/2022/06/fmc-ftd-site-to-site-edit-vpn-topology-ike-1024x668.png)
Make sure IPsec Phase2 policy is selected and lifetime etc is the same as on FortiGate Firewall
![](https://ictfella.com/wp-content/uploads/2022/06/ftd-fortigate-ipsec-vpn-edit-vpn-topology-ipsec-proposals.png)
Advanced setting under VPN Topology
![](https://ictfella.com/wp-content/uploads/2022/06/ftd-fortigate-ipsec-vpn-advanced-ike-isakamp-settings.png)
![](https://ictfella.com/wp-content/uploads/2022/06/ftd-fortigate-ipsec-vpn-advanced-ipsec-settings.png)
![](https://ictfella.com/wp-content/uploads/2022/06/ftd-fortigate-ipsec-vpn-advanced-tunnel-options-nat-settings-access-control-for-vpn-traffic.png)
![](https://ictfella.com/wp-content/uploads/2022/06/ftd-fortigate-ipsec-vpn-certificate-map-settings.png)
Add needed “NO-NAT” rules so anything inter-site traffic towards FortiGate Remote network is NOT “NATed”
![](https://ictfella.com/wp-content/uploads/2022/06/cisco-ftd-ipsec-vpn-no-nat-rules-1024x120.png)
Troubleshooting
IPsec tunnel does not turn up and Fortinet has error “IPsec phase 1 error” or “no proposal chosen”, when you try to bring up the IPsec on from Fortinet GUI, only phase 1 is green. In my case the issue is PFS and “Relay Detection” and “PFS” are enabled.
Turn both features off to fix the issue
![](https://ictfella.com/wp-content/uploads/2022/06/disable-replay-detection-perfect-forward-secrecy.png)
Useful link