Configuring the IPsec VPN
A route-based VPN is required. It must use encryption and authentication algorithms compatible with the Cisco equipment to which it connects. In this chapter, preshared key authentication is shown.
To configure the IPsec VPN - web-based manager
1. Define the phase 1 configuration needed to establish a secure connection with the remote Cisco device. Enter these settings in particular:
Name | Enter a name to identify the VPN tunnel, tocisco for example. This is the name of the virtual IPsec interface. It appears in phase 2 configurations, security policies and the VPN monitor. |
Remote Gateway | Select Static IP Address. |
IP Address | Enter the IP address of the Cisco device public interface. For example, 192.168.5.113. |
Local Interface | Select the FortiGate unit’s public interface. For example, 172.20.120.141. |
Mode | Select Main (ID Protection). |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. It must match the preshared key on the Cisco device. |
Advanced | Select the Advanced button to see the following settings. |
Enable IPsec Interface Mode | Enable. |
P1 Proposal | 3DES-MD5 At least one proposal must match the settings on the Cisco unit. |
For more information about these settings, see
“Auto Key phase 1 parameters”.
2. Define the phase 2 parameters needed to create a VPN tunnel with the remote peer. For compatibility with the Cisco router, Quick Mode Selectors must be entered, which includes specifying protocol 47, the GRE protocol. Enter these settings in particular:
Name | Enter a name to identify this phase 2 configuration. |
Phase 1 | Select the name of the phase 1 configuration that you defined in Step 1. |
Advanced | Select Advanced to view the following fields. |
P2 Proposal | 3DES-MD5 At least one proposal must match the settings on the Cisco unit. |
Quick Mode Selector | |
Source Address | Enter the GRE local tunnel end IP address. For example 172.20.120.141. |
Source Port | 0 |
Destination Address | Enter the GRE remote tunnel end IP address. For example 192.168.5.113. |
Destination Port | 0 |
Protocol | 47 |
For more information about these settings, see
“Phase 2 parameters”.
3. If the Cisco device is configured to use transport mode IPsec, you need to use transport mode on the FortiGate VPN. You can configure this only in the CLI. In your phase 2 configuration, set encapsulation to transport-mode as follows:
config vpn phase2-interface
edit to_cisco_p2
set encapsulation transport-mode
end
To configure the IPsec VPN - CLI
config vpn ipsec phase1-interface
edit tocisco
set interface port1
set proposal 3des-sha1 aes128-sha1
set remote-gw 192.168.5.113
set psksecret xxxxxxxxxxxxxxxx
end
config vpn ipsec phase2-interface
edit tocisco_p2
set phase1name "tocisco"
set proposal 3des-md5
set encapsulation tunnel-mode // if tunnel mode
set encapsulation transport-mode // if transport mode
set protocol 47
set src-addr-type ip
set dst-start-ip 192.168.5.113
set src-start-ip 172.20.120.141
end