Configuring Site-to-Site IPsec VPN Between FortiGate and Cisco FTD
Establishing site-to-site connectivity between FortiGate and Cisco Secure Firewall (FTD) requires policy-based VPN configuration on the FortiGate side to match FTD's traditional crypto map architecture. The implementations differ in Phase 2 handling—FortiGate uses multiple sleectors while FTD consolidates traffic via extended ACLs.
FortiGate Configuration
Enable policy-based IPsec mode and define the Phase 1 interface parameters. Ensure the proposal matches FTD's IKEv2 capabilities:
config vpn ipsec phase1-interface
edit "Branch-VPN"
set interface "port1"
set ike-version 2
set peertype any
set proposal aes256gcm-prfsha384
set dhgrp 14
set remote-gw 203.0.113.50
set psksecret ComplexPresharedKey2024
set keylifeseconds 28800
next
end
FortiGate requires distinct Phase 2 selectors for each source-destination subnet pair. Define these without Perfect Forward Secrecy (PFS) to match the FTD configuration:
config vpn ipsec phase2-interface
edit "Branch-VPN-Net1"
set phase1name "Branch-VPN"
set proposal aes256gcm
set pfs disable
set keylifeseconds 3600
set src-subnet 172.16.10.0 255.255.255.0
set dst-subnet 192.168.100.0 255.255.255.0
next
edit "Branch-VPN-Net2"
set phase1name "Branch-VPN"
set proposal aes256gcm
set pfs disable
set keylifeseconds 3600
set src-subnet 172.16.20.0 255.255.255.0
set dst-subnet 192.168.200.0 255.255.255.0
next
end
Apply the VPN to a firewall policy using the ipsec action:
config firewall policy
edit 100
set name "LAN_to_VPN"
set srcintf "internal"
set dstintf "port1"
set action ipsec
set srcaddr "172.16.10.0/24" "172.16.20.0/24"
set dstaddr "192.168.100.0/24" "192.168.200.0/24"
set schedule "always"
set service "ALL"
set vpntunnel "Branch-VPN"
next
end
Cisco FTD Configuration
Although FTD primarily uses FMC/FDM for management, the underlying ASA CLI remains available for VPN configuration. Enable IKEv2 on the external interface and define the policy to match FortiGate's Phase 1 parameters:
crypto ikev2 enable outside
crypto ikev2 policy 10
encryption aes-gcm-256
integrity null
group 14
prf sha384
lifetime seconds 28800
Configure the IPsec proposal for Phase 2. When using AES-GCM, the inetgrity algorithm is handled internally by the cipher:
crypto ipsec ikev2 ipsec-proposal FGT-PROPOSAL
protocol esp encryption aes-256-gcm
protocol esp integrity null
Define the tunnel group with the peer's public IP and pre-shared key:
tunnel-group 198.51.100.25 type ipsec-l2l
tunnel-group 198.51.100.25 general-attributes
default-group-policy GroupPolicy_L2L
tunnel-group 198.51.100.25 ipsec-attributes
ikev2 remote-authentication pre-shared-key ComplexPresharedKey2024
ikev2 local-authentication pre-shared-key ComplexPresharedKey2024
Create an access list identifying the encryption domain (mirror image of FortiGate's traffic selectors), then bind to a crypto map:
access-list VPN-ACL extended permit ip 192.168.100.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list VPN-ACL extended permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0
crypto map OUTSIDE-MAP 10 match address VPN-ACL
crypto map OUTSIDE-MAP 10 set peer 198.51.100.25
crypto map OUTSIDE-MAP 10 set ikev2 ipsec-proposal FGT-PROPOSAL
crypto map OUTSIDE-MAP 10 set pfs none
crypto map OUTSIDE-MAP 10 set reverse-route
crypto map OUTSIDE-MAP interface outside
Verification
On FortiGate, verify tunnel establishment and encapsulation counters:
get vpn ipsec tunnel summary
get vpn ipsec tunnel name Branch-VPN
diagnose vpn tunnel list
On FTD, check IKEv2 SAs and IPsec SAs:
show crypto ikev2 sa
show crypto ipsec sa peer 198.51.100.25
show vpn-sessiondb detail l2l filter name 198.51.100.25
