[Last Call] Learn how to a build a cloud-first strategyRegister Now


VPN Tunnel Fortigate 60B to Cisco ASA 5505

Posted on 2012-08-21
Medium Priority
Last Modified: 2013-04-24
Hi All,

I have a problem as per subject line.

I'm trying to configure a VPN tunnel between two offices. One side has Cisco ASA 5505 (London) other one is configured with Fortigate 60B (Hong Kong).

I followed few instructions and managed to get the tunnel up and running. I can ping any PC/Server in Hong Kong from London but not the other way arround. I've done trace route test and it looks like Fortigate is trying to send the data thourh public network rathere than encrypted traffic. The first hop that I can see it does goes to Public Gateway.

I followed this: http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=13574 



to configure Fortigate. I have tried both policy as well as route based VPN confiugration. No luck both ways.

I have attached Fortigate configuration:

Phase 1

Phase 2

and Cisco:

access-list outside_1_cryptomap extended permit ip
access-list inside_nat0_outbound extended permit ip
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer Hong Kong IP
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group Hong Kong IP type ipsec-l2l
tunnel-group Hong Kong IP ipsec-attributes
 pre-shared-key *

Is my assumption right that it is the Fortigate that is missing some extra line of code somewhere?

Can anyone help please?
Question by:adispiric
  • 2

Author Comment

ID: 38317152
To add to the above... Fortigate is a Dual WAN router and I have configured the VPN to use the WAN 1 interface. Whei I try to ping LAN in London the first hop is going through WAN 2. How this can be changed?

Accepted Solution

myramu earned 2000 total points
ID: 38319027

Move the encrypt policy to top of all policies. I would suggest to use interface(Route) based VPN. So that you will have control on the routing.

Good Luck!

Author Comment

ID: 38319423
I have changed VPN to route based last night and it's still the same. I can confirm that both firewall policies are on the top (VPN->Internal and Internal->VPN).

I have also put a static rule on Fortigate to route all traffic to 192.168.16.x through VPN interface.

IP access did not change though I still can only ping one way.

Any other ideas please?
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39002401
By VPN interface - do you mean WAN1 ?
is both WAN1 and WAN 2 connected to internet? to different connections?
Do the Fortigate connect directly to internet with a public IP?

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Considering cloud tradeoffs and determining the right mix for your organization.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question