VPN Tunnel Fortigate 60B to Cisco ASA 5505

Posted on 2012-08-21
Last Modified: 2013-04-24
Hi All,

I have a problem as per subject line.

I'm trying to configure a VPN tunnel between two offices. One side has Cisco ASA 5505 (London) other one is configured with Fortigate 60B (Hong Kong).

I followed few instructions and managed to get the tunnel up and running. I can ping any PC/Server in Hong Kong from London but not the other way arround. I've done trace route test and it looks like Fortigate is trying to send the data thourh public network rathere than encrypted traffic. The first hop that I can see it does goes to Public Gateway.

I followed this:


to configure Fortigate. I have tried both policy as well as route based VPN confiugration. No luck both ways.

I have attached Fortigate configuration:

Phase 1

Phase 2

and Cisco:

access-list outside_1_cryptomap extended permit ip
access-list inside_nat0_outbound extended permit ip
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer Hong Kong IP
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group Hong Kong IP type ipsec-l2l
tunnel-group Hong Kong IP ipsec-attributes
 pre-shared-key *

Is my assumption right that it is the Fortigate that is missing some extra line of code somewhere?

Can anyone help please?
Question by:adispiric

    Author Comment

    To add to the above... Fortigate is a Dual WAN router and I have configured the VPN to use the WAN 1 interface. Whei I try to ping LAN in London the first hop is going through WAN 2. How this can be changed?
    LVL 8

    Accepted Solution


    Move the encrypt policy to top of all policies. I would suggest to use interface(Route) based VPN. So that you will have control on the routing.

    Good Luck!

    Author Comment

    I have changed VPN to route based last night and it's still the same. I can confirm that both firewall policies are on the top (VPN->Internal and Internal->VPN).

    I have also put a static rule on Fortigate to route all traffic to 192.168.16.x through VPN interface.

    IP access did not change though I still can only ping one way.

    Any other ideas please?
    LVL 20

    Expert Comment

    by:Jakob Digranes
    By VPN interface - do you mean WAN1 ?
    is both WAN1 and WAN 2 connected to internet? to different connections?
    Do the Fortigate connect directly to internet with a public IP?

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now