Friday, October 7, 2016

How to configure IPSEC Site to Site VPN fortigate and Cisco ASA by using IKEv2 ( Mutliple Subnets )


How to configure IPSEC Site to Site VPN fortigate and Cisco ASA by using IKEv2

Introduction

    This document describes working configuration an Internet Key Exchange version 2 (IKEv2) IPsec site-to-site tunnel between a Cisco 5505-X Series Adaptive Security Appliance (ASA) that runs software Version 9.3.x and a Fortigate 3810 Series that runs software Version 5.2.5

Components Used

The information in this document is based on these software and hardware versions:
  • Cisco 5505 Series ASA that runs software Version 9.3
  • Fortigate 3810 that runs the software Version 5.2.

    Configure on ASA

    This section describes how to (after configuration) of site-to-site VPN tunnel via the Adaptive Security Device Manager (ASDM) VPN wizard or via the CLI.

    1. After running the IPSEC-wizard, please validate the configuration of the IPSEC. 
    2. please ensure Local and remote subnets are matching on both locations.
    3. IkeV2 is enabled on both location 
    4. Preshared Key must be same.
    5. On IKE policy, Include only below policies and remove other proposal from the ASA.
    6. On IPSEC Proposal,Include only below policies and remove other proposal from the ASA
    7. On Advanced  Tab, it is recommend to have similiar SA lifetime, and remove any other settings, enter the pre-shared key ( sometime, it is missing from this list)
    8. On firewall - Access rule - configure the rule to permit local subnet and remote subnet.
    9. On Firewall - Add route for remote office pointing towards outside interface.

     




















Configure on Fortigate Firewall

 This section describes how to (after configuration) of site-to-site VPN tunnel on Fortigate Firewall.

After Running the VPN wizard
  1. Phase 1 and Phase 2 proposal must be matched.
  2. Once configuration completed, please check the status of the tunnel by generating VPN interesting traffic or click the Bring up the tunnel on fortigate.
  3. last screenshot shows the status of the VPN.
























Troubleshooting & Useful Commands.

On fortigate :

  • diagnose debug disable
  • diagnose debug reset
  • diagnose vpn ike gateway clear
  • diagnose vpn ike log filter dst-addr4 <remote_address> or diagnose vpn ike log filter name DAI_VPN
  • diagnose debug application ike -1
  • diagnose debug enable
Cisco ASA:
  • debug crypto ikev2 protocol 127
  • debug crypto ikev2 platform 127
  • show crypto ikev2 sa
  • show crypto ipsec sa

 i hope , this helps