VTI Tunnel between Asa and Fortinet and Internet Access over VTI
ASA supports route-based VPN with the use of Virtual Tunnel Interfaces (VTIs) in version 9.8 and later. we couldn't use the dynamic routing feature over policy base IPSEC. These were big lack of the Cisco ASA.
After the VTI feature is announced. now it's possible. I will show you how to configure VTI and dynamic routing between Asa and Fortinet. I have installed a basic lab with Eve-ng.
Not: Vti tunnel only support BGP protocol Also you can see the whole restriction for Asa from this link
Cisco Asa version;
#show version
Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)Fortigate Version;
#get system status
FortiGate-VM64-KVM v5.6.1,build1484,170727 (GA)
Not1:You can find the Mpls router configuration at the bottom
Fortinet side configuration;
I won't show how to configure the interface. I will go directly to tunnel settings on both firewalls.
Fortinet İnterfaces;
I define the static route to reach the Asa firewall;
To create Fortinet IPsec tunnel;
Not2: Fortinet default license type only support DES algorithm.
I will use IKE2
After creating an IP tunnel, I will assign the IP address to the tunnel interface. Edit asa-vti tunnel interface.
Assign IP address;
Add firewall policy to access each other;
Set the BGP on Fortinet;
ASA VTI interface configuration;
First, I will write CLI command and then I will configure with ASDM
Cli configuration;
object network Net_192.168.60.0_24
subnet 192.168.60.0 255.255.255.0
crypto ipsec ikev2 ipsec-proposal des
protocol esp encryption des
protocol esp integrity sha-1
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
group-policy 3.3.3.1 internal
group-policy 3.3.3.1 attributes
vpn-tunnel-protocol ikev2
tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 general-attributes
default-group-policy 3.3.3.1
tunnel-group 3.3.3.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
crypto ipsec profile des
set ikev2 ipsec-proposal des
set pfs group21
set security-association lifetime seconds 3600
interface Tunnel1
nameif Asa-vti
ip address 10.1.1.1 255.255.255.252
tunnel source interface mpls
tunnel destination 3.3.3.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile des
router bgp 65500
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 10.1.1.2 remote-as 65501
neighbor 10.1.1.2 activate
network 0.0.0.0
network 20.20.20.0 mask 255.255.255.0
default-information originate
no auto-summary
no synchronization
exit-address-family
access-list VTI-in extended permit ip any any
access-list VTI-in extended deny ip any any
nat (any,outside) source dynamic Net_192.168.60.0_24 interface
ASDM Configuration;
The cli configuration is very basic. we can use the full feature on cli. Sometimes We can't do everything with ASDM but we like visuals. We may have some problems with ASDM, then we will do configuration on the cli.
Asa interface configuration;
I define the static route to reach the Fortinet firewall;
I will prepare the IPsec parameters for the vti tunnel.
VTI interface configuration;
Set BGP on Asa Firewall;
Add access policy and nat policy to permit 192.168.60.0/24 subnet; I will configure this part from CLI because had some problems when I configure from Asdm. Maybe I hit head the bug :)
access-list VTI-in extended permit ip any any
access-list VTI-in extended deny ip any any
nat (any,outside) source dynamic Net_192.168.60.0_24 interfaceTroubleshooting:
Asa side;
Ping test from Window server to VPC client(192.168.60.10)
Fortinet side;
I see that the default route and IPsec tunnel are up.
Ping test from VPC client to windows server and Internet ;
Thanks for Reading;
Reference Side: Cisco Document, Fortinet Document