Skip to main content

IPsec VPN BETWEEN CISCO AND FORTIGATE

 IPsec VPN can be simply understood as means of providing security of our critical data sent over public network. IPsec is very much secure as it uses lot of different protocols to add encryption as well as authentication. 

I will not be explaining each and every components of IPSec in this particular blog but would just be demonstrating a configuration of simple IPSec VPN between 2 sites making use of Fortigate 500 E and Cisco ISR 4451. This blog only contains configuration of FortiGate in particular.

PROCESS 1 

The first process is to go under VPN and then click on IPsec Wizard. We will be creating an custom IPsec profile with a name site-to-site-vpn.


PROCESS 2 
We will now need to input all the parameters required for completing the VPN process. At the beginning we will be configuring for PHASE I parameters mentioning  things like remote IP address which is 110.44.119.21 in our particular case. We will also be configuring things like authentication type, hashing algorithm , group, lifetime and encryption. Pre- shared key will be used for authenticating in this particular configuration. IKE Version 1 is being used.


PROCESS 3 
We will now configure for PHASE II of IPsec VPN mentioning about parameters that we are going to use for Encyrption ,Authentication and also things like PFS, Anti Replay Detection etc.


PROCESS 4 
Firewall policy needs to be added for both direction which you can see in the below screenshot that I have attached. The first screenshot displays traffic that is being allowed from tunnel interface (Incoming Interface) to the lan interface (Outgoing Interface). Nat will be disabled in this policy and also have not used all the other security profiles.


The second screenshot displays that traffic is being allowed from LAN Interface (SOSYS) towards the Outgoing interface (tunnel interface) .   


PROCESS 5
We will now need to add the static route where the destination IP is 10.10.254.0/24 and the next hop will be the public IP of the remote router which being 110.44.119.21.


We will need to configure it same in the Cisco Router as well with exact same parameters that has been used in the Fortigate Firewall Phase I and Phase II.
Lets' now finally verify in Fortigate as well as in the Cisco Router side.
We will need to at least send an icmp request from either of the side for IPsec VPN to come up. 


The VPN looks to be up from Fortigate side let us verify now from the Cisco Router side as well.

We can clearly see that ISAKMP PHASE I looks to be up and in the QM_IDLE state. Let's check for the PHASE II part as well.

Bravo ! The VPN Tunnel is IP and also reachable. The destination IP in our case is 172.16.0.18 which falls under SOSYS Interface of the Fortigate.
Configuring IPsec VPN in Fortigate is very simple in compared to some other firewalls and router. I will end my blog here and be writing more about VPN in my next blog.

















Labels:

Comments

Post a Comment

Popular posts from this blog

SAN Switch Zoning with Brocade

Zoning in Brocade SAN Switch Let's begin with resetting the switch completely. In my environment I have two brocade SAN Switch connecting to 2 Dell R940 server configured with VMware. The SAN switch will be having connectivity between Dell Unity 500 storage and Dell R940 servers. Multipathing will be done between the server and storage with the help of SAN Switch. Multipathing, also called SAN multipathing or I/O multipathing, is the establishment of multiple physical routes between a server and the storage device that supports. It results in better fault tolerance and performance enhancement. DESIGN The idea behind zoning is that intended WWPN talk with each other . This is more like ACL in the world of Ethernet. To see the devices which are logged into the switch the following commands can be executed. SAN-A:admin> switchshow switchName: SAN-A switchType: 118.1 switchState: Online switchMode: Native switchRole: Principal switchDomain: 1 switchId: ...
Post a Comment
Read more

SSL Decryption FortiGate

  We have pretty much heard about SSL decryption and of malware hiding inside an encrypted traffic. A large amount of traffic in the internet is pretty much encrypted which basically means that bad things like malware, virus, ransomware can hide inside this encrypted traffic. If majority of these traffic are encrypted our Firewalls are not able to analyze these traffic which can easily infect our organization and the investment which we have done in these firewalls are wasted. There does come around a solution for this and as my topic suggest SSL Decryption also know as Deep Packet Inspection as by some IT folks. The image that I have attached down below clearly suggest about what I am trying to explain. Using deep packet inspection, the firewall simply decrypts the encrypted traffic happening  between client and server, inspects the content to find the threats and block them , then forwards it to the destination re-encrypting it . We will need to first setup the SSL/SSH in...
Post a Comment
Read more

Upgrade Catalyst C9500

Upgrading Catalyst 9500 series switch is relatively easy. The one that I'm going to upgrade today is on Install mode containing packages.conf file. Install mode consumes far less resources in compared to the traditional bundle mode and has some advantage like auto upgrade when configured in stacked mode. We can talk about the difference between bundle and install mode later on. Let's focus on upgrading the Catalyst 9500 switch. Switch I am trying to upgrade is in 17.03.03 which has some bugs and security vulnerabilities. I am upgrading it from 17.03.03 to 17.6.5(MD) golden image present in the cisco download site for C9500 series switch and also reading down the linked document from cisco that is what they recommend. You can have a look at it . https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/221498-recommended-releases-for-catalyst-9200-9.html We will first need to create FTP username and password in the switch. The username and password must b...
1 comment
Read more