How to configure IPSEC Site to Site VPN fortigate and Cisco ASA by using IKEv2
Introduction
This document describes working
configuration an Internet Key Exchange version 2 (IKEv2) IPsec site-to-site
tunnel between a Cisco 5505-X Series Adaptive Security Appliance (ASA)
that runs software Version 9.3.x and a Fortigate 3810 Series that runs software Version 5.2.5
Components Used
The information in this document is based on these software and hardware versions:
- Cisco 5505 Series ASA that runs software Version 9.3
- Fortigate 3810 that runs the software Version 5.2.
Configure on ASA
This section describes how to (after configuration) of site-to-site VPN tunnel via the Adaptive Security Device Manager (ASDM) VPN wizard or via the CLI.
- After running the IPSEC-wizard, please validate the configuration of the IPSEC.
- please ensure Local and remote subnets are matching on both locations.
- IkeV2 is enabled on both location
- Preshared Key must be same.
- On IKE policy, Include only below policies and remove other proposal from the ASA.
- On IPSEC Proposal,Include only below policies and remove other proposal from the ASA
- On Advanced Tab, it is recommend to have similiar SA lifetime, and remove any other settings, enter the pre-shared key ( sometime, it is missing from this list)
- On firewall - Access rule - configure the rule to permit local subnet and remote subnet.
- On Firewall - Add route for remote office pointing towards outside interface.
Configure on Fortigate Firewall
This section describes how to (after configuration) of site-to-site VPN tunnel on Fortigate Firewall.After Running the VPN wizard
- Phase 1 and Phase 2 proposal must be matched.
- Once configuration completed, please check the status of the tunnel by generating VPN interesting traffic or click the Bring up the tunnel on fortigate.
- last screenshot shows the status of the VPN.
Troubleshooting & Useful Commands.
On fortigate :
- diagnose debug disable
- diagnose debug reset
- diagnose vpn ike gateway clear
- diagnose vpn ike log filter dst-addr4 <remote_address> or diagnose vpn ike log filter name DAI_VPN
- diagnose debug application ike -1
- diagnose debug enable
Cisco ASA:
- debug crypto ikev2 protocol 127
- debug crypto ikev2 platform 127
- show crypto ikev2 sa
- show crypto ipsec sa