ASA supports route-based VPN with the use of Virtual Tunnel Interfaces (VTIs) in version 9.8 and later. we couldn't use the dynamic routing feature over policy base IPSEC. These were big lack of the Cisco ASA.
After the VTI feature is announced. now it's possible. I will show you how to configure VTI and dynamic routing between Asa and Fortinet. I have installed a basic lab with Eve-ng.
Not: Vti tunnel only support BGP protocol Also you can see the whole restriction for Asa from this link
Cisco Asa version;
#show version Cisco Adaptive Security Appliance Software Version 9.8(1) Firepower Extensible Operating System Version 2.2(1.47) Device Manager Version 7.8(1)
#get system status FortiGate-VM64-KVM v5.6.1,build1484,170727 (GA)
Not1:You can find the Mpls router configuration at the bottom
Fortinet side configuration;
I won't show how to configure the interface. I will go directly to tunnel settings on both firewalls.
I define the static route to reach the Asa firewall;
To create Fortinet IPsec tunnel;
Not2: Fortinet default license type only support DES algorithm.
I will use IKE2
After creating an IP tunnel, I will assign the IP address to the tunnel interface. Edit asa-vti tunnel interface.
Assign IP address;
Add firewall policy to access each other;
Set the BGP on Fortinet;
ASA VTI interface configuration;
First, I will write CLI command and then I will configure with ASDM
object network Net_192.168.60.0_24 subnet 192.168.60.0 255.255.255.0 crypto ipsec ikev2 ipsec-proposal des protocol esp encryption des protocol esp integrity sha-1 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 group-policy 188.8.131.52 internal group-policy 184.108.40.206 attributes vpn-tunnel-protocol ikev2 tunnel-group 220.127.116.11 type ipsec-l2l tunnel-group 18.104.22.168 general-attributes default-group-policy 22.214.171.124 tunnel-group 126.96.36.199 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** crypto ipsec profile des set ikev2 ipsec-proposal des set pfs group21 set security-association lifetime seconds 3600 interface Tunnel1 nameif Asa-vti ip address 10.1.1.1 255.255.255.252 tunnel source interface mpls tunnel destination 188.8.131.52 tunnel mode ipsec ipv4 tunnel protection ipsec profile des router bgp 65500 bgp log-neighbor-changes address-family ipv4 unicast neighbor 10.1.1.2 remote-as 65501 neighbor 10.1.1.2 activate network 0.0.0.0 network 184.108.40.206 mask 255.255.255.0 default-information originate no auto-summary no synchronization exit-address-family access-list VTI-in extended permit ip any any access-list VTI-in extended deny ip any any nat (any,outside) source dynamic Net_192.168.60.0_24 interface
The cli configuration is very basic. we can use the full feature on cli. Sometimes We can't do everything with ASDM but we like visuals. We may have some problems with ASDM, then we will do configuration on the cli.
Asa interface configuration;
I define the static route to reach the Fortinet firewall;
I will prepare the IPsec parameters for the vti tunnel.
VTI interface configuration;
Set BGP on Asa Firewall;
Add access policy and nat policy to permit 192.168.60.0/24 subnet; I will configure this part from CLI because had some problems when I configure from Asdm. Maybe I hit head the bug :)
access-list VTI-in extended permit ip any any access-list VTI-in extended deny ip any any nat (any,outside) source dynamic Net_192.168.60.0_24 interface
Ping test from Window server to VPC client(192.168.60.10)
I see that the default route and IPsec tunnel are up.
Ping test from VPC client to windows server and Internet ;
Thanks for Reading;