top of page

VTI Tunnel between Asa and Fortinet and Internet Access over VTI

ASA supports route-based VPN with the use of Virtual Tunnel Interfaces (VTIs) in version 9.8 and later. we couldn't use the dynamic routing feature over policy base IPSEC. These were big lack of the Cisco ASA.

After the VTI feature is announced. now it's possible. I will show you how to configure VTI and dynamic routing between Asa and Fortinet. I have installed a basic lab with Eve-ng.

Not: Vti tunnel only support BGP protocol Also you can see the whole restriction for Asa from this link

Cisco Asa version;

#show version
Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

Fortigate Version;

#get system status
 FortiGate-VM64-KVM v5.6.1,build1484,170727 (GA)

Not1:You can find the Mpls router configuration at the bottom

Fortinet side configuration;

I won't show how to configure the interface. I will go directly to tunnel settings on both firewalls.

Fortinet İnterfaces;

I define the static route to reach the Asa firewall;

To create Fortinet IPsec tunnel;

Not2: Fortinet default license type only support DES algorithm.

I will use IKE2

After creating an IP tunnel, I will assign the IP address to the tunnel interface. Edit asa-vti tunnel interface.

Assign IP address;

Add firewall policy to access each other;

Set the BGP on Fortinet;

ASA VTI interface configuration;

First, I will write CLI command and then I will configure with ASDM

Cli configuration;

object network Net_192.168.60.0_24

crypto ipsec ikev2 ipsec-proposal des
 protocol esp encryption des
 protocol esp integrity sha-1

crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400

group-policy internal
group-policy attributes
 vpn-tunnel-protocol ikev2
tunnel-group type ipsec-l2l
tunnel-group general-attributes
tunnel-group ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

crypto ipsec profile des
 set ikev2 ipsec-proposal des
 set pfs group21
 set security-association lifetime seconds 3600

interface Tunnel1
 nameif Asa-vti
 ip address
 tunnel source interface mpls
 tunnel destination
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile des
 router bgp 65500
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor remote-as 65501
  neighbor activate
  network mask
  default-information originate
  no auto-summary
  no synchronization

access-list VTI-in extended permit ip any any
access-list VTI-in extended deny ip any any

nat (any,outside) source dynamic Net_192.168.60.0_24 interface

ASDM Configuration;

The cli configuration is very basic. we can use the full feature on cli. Sometimes We can't do everything with ASDM but we like visuals. We may have some problems with ASDM, then we will do configuration on the cli.

Asa interface configuration;

I define the static route to reach the Fortinet firewall;

I will prepare the IPsec parameters for the vti tunnel.

VTI interface configuration;

Set BGP on Asa Firewall;

Add access policy and nat policy to permit subnet; I will configure this part from CLI because had some problems when I configure from Asdm. Maybe I hit head the bug :)

access-list VTI-in extended permit ip any any
access-list VTI-in extended deny ip any any

nat (any,outside) source dynamic Net_192.168.60.0_24 interface


Asa side;

Ping test from Window server to VPC client(

Fortinet side;

I see that the default route and IPsec tunnel are up.

Ping test from VPC client to windows server and Internet ;

Thanks for Reading;

Download RAR • 620B


bottom of page