Search

VTI Tunnel between Asa and Fortinet and Internet Access over VTI

ASA supports route-based VPN with the use of Virtual Tunnel Interfaces (VTIs) in version 9.8 and later. we couldn't use the dynamic routing feature over policy base IPSEC. These were big lack of the Cisco ASA.

After the VTI feature is announced. now it's possible. I will show you how to configure VTI and dynamic routing between Asa and Fortinet. I have installed a basic lab with Eve-ng.


Not: Vti tunnel only support BGP protocol Also you can see the whole restriction for Asa from this link


Cisco Asa version;

#show version
Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

Fortigate Version;

#get system status
 FortiGate-VM64-KVM v5.6.1,build1484,170727 (GA)

Not1:You can find the Mpls router configuration at the bottom

Fortinet side configuration;


I won't show how to configure the interface. I will go directly to tunnel settings on both firewalls.

Fortinet İnterfaces;

I define the static route to reach the Asa firewall;

To create Fortinet IPsec tunnel;

Not2: Fortinet default license type only support DES algorithm.

I will use IKE2


After creating an IP tunnel, I will assign the IP address to the tunnel interface. Edit asa-vti tunnel interface.

Assign IP address;

Add firewall policy to access each other;

Set the BGP on Fortinet;


ASA VTI interface configuration;

First, I will write CLI command and then I will configure with ASDM


Cli configuration;

object network Net_192.168.60.0_24
 subnet 192.168.60.0 255.255.255.0

crypto ipsec ikev2 ipsec-proposal des
 protocol esp encryption des
 protocol esp integrity sha-1

crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400

group-policy 3.3.3.1 internal
group-policy 3.3.3.1 attributes
 vpn-tunnel-protocol ikev2
tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 general-attributes
 default-group-policy 3.3.3.1
tunnel-group 3.3.3.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

crypto ipsec profile des
 set ikev2 ipsec-proposal des
 set pfs group21
 set security-association lifetime seconds 3600

interface Tunnel1
 nameif Asa-vti
 ip address 10.1.1.1 255.255.255.252
 tunnel source interface mpls
 tunnel destination 3.3.3.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile des
 
 router bgp 65500
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 10.1.1.2 remote-as 65501
  neighbor 10.1.1.2 activate
  network 0.0.0.0
  network 20.20.20.0 mask 255.255.255.0
  default-information originate
  no auto-summary
  no synchronization
 exit-address-family

access-list VTI-in extended permit ip any any
access-list VTI-in extended deny ip any any

nat (any,outside) source dynamic Net_192.168.60.0_24 interface


ASDM Configuration;

The cli configuration is very basic. we can use the full feature on cli. Sometimes We can't do everything with ASDM but we like visuals. We may have some problems with ASDM, then we will do configuration on the cli.


Asa interface configuration;

I define the static route to reach the Fortinet firewall;

I will prepare the IPsec parameters for the vti tunnel.


VTI interface configuration;


Set BGP on Asa Firewall;


Add access policy and nat policy to permit 192.168.60.0/24 subnet; I will configure this part from CLI because had some problems when I configure from Asdm. Maybe I hit head the bug :)

access-list VTI-in extended permit ip any any
access-list VTI-in extended deny ip any any

nat (any,outside) source dynamic Net_192.168.60.0_24 interface


Troubleshooting:


Asa side;

Ping test from Window server to VPC client(192.168.60.10)

Fortinet side;

I see that the default route and IPsec tunnel are up.

Ping test from VPC client to windows server and Internet ;

Thanks for Reading;


Reference Side: Cisco Document, Fortinet Document


mpls-rtr
.rar
Download RAR • 620B

2,374 views0 comments