IPsec Tunnel Between FortiGate Firewall and Cisco Router

🔐 How to Configure IPsec Tunnel Between FortiGate Firewalls (Step-by-Step Guide)

🚀 Introduction

An IPsec VPN tunnel allows secure communication between two remote networks over the internet. It is widely used in enterprise environments to connect branch offices, data centers, and cloud infrastructure.

In this guide, you will learn how to configure a Site-to-Site IPsec VPN tunnel on FortiGate firewall using real-world examples and best practices.

🌐 What is IPsec VPN?

IPsec (Internet Protocol Security) is a protocol suite used to:

• Encrypt traffic between networks
• Ensure data integrity
• Provide secure authentication

🔑 Key Components:

• IKE (Internet Key Exchange) – Handles authentication
• Phase 1 – Establishes secure tunnel
• Phase 2 – Defines data encryption parameters

🧱 Network Topology Example

• Site A (FortiGate A): 192.168.1.0/24
• Site B (FortiGate B): 192.168.2.0/24
• Public IPs on both firewalls

⚙️ Step 1: Configure Phase 1 (IKE)

Go to:
VPN → IPsec Tunnels → Create New

🔧 Settings:

• Name: SiteA-SiteB
• Remote Gateway: Static IP
• Interface: WAN
• Authentication: Pre-Shared Key
• IKE Version: IKEv2 (Recommended)

🔐 Encryption Settings:

• Encryption: AES256
• Authentication: SHA256
• DH Group: 14

👉 These settings must match on both sides.

🔄 Step 2: Configure Phase 2 (IPsec)

🔧 Settings:

• Local Subnet: 192.168.1.0/24
• Remote Subnet: 192.168.2.0/24

🔐 Encryption:

• AES256
• SHA256

🛣️ Step 3: Configure Static Route

Go to:
Network → Static Routes

Add route:

• Destination: 192.168.2.0/24
• Device: IPsec Tunnel

🔥 Step 4: Configure Firewall Policies

Create policies:

👉 Policy 1:

• Incoming: LAN
• Outgoing: IPsec Tunnel
• Action: ACCEPT

👉 Policy 2:

• Incoming: IPsec Tunnel
• Outgoing: LAN
• Action: ACCEPT

✅ Step 5: Test the Tunnel

• Ping from Site A → Site B
• Check tunnel status

🔍 Useful CLI Commands:

diagnose vpn tunnel list
get vpn ipsec tunnel summary

⚠️ Common Issues & Fixes

❌ Phase 1 Down

• Mismatch in PSK or encryption
• Wrong peer IP

❌ Phase 2 Down

• Subnet mismatch
• Proposal mismatch

❌ Tunnel Up but No Traffic

• Missing firewall policy
• No static route

👉 Many real-world failures happen due to policy or routing issues, not IPsec itself.

🔐 Best Practices (Cisco/Fortinet Aligned)

• Use IKEv2 instead of IKEv1
• Use strong encryption (AES256, SHA256)
• Avoid weak DH groups
• Use route-based VPN where possible
• Monitor logs for troubleshooting

📚 References

• Fortinet IPsec VPN Configuration Guide
• Cisco VPN Fundamentals
• FortiGate Admin Guide

🎯 Conclusion

Configuring an IPsec tunnel on FortiGate firewall is a critical skill for network engineers and cybersecurity professionals.

By following this step-by-step guide, you can:

• Secure site-to-site communication
• Troubleshoot VPN issues effectively
• Build enterprise-level network security

Cisco IPsec Tunnel Configuration: -

Phase-1

crypto isakmp policy 2

 hash md5

 authentication pre-share

 group 2

crypto isakmp key Admin@123 address 172.16.1.1

Phase-2

crypto ipsec transform-set Cisco_to_Fortinet esp-des esp-md5-hmac

 mode tunnel

crypto map Cisco_to_Fortinet 2 ipsec-isakmp

 set peer 172.16.1.1

 set transform-set Cisco_to_Fortinet

 match address vpn-traffic

ip dhcp pool LAN

 network 10.1.1.0 255.255.255.0

 default-router 10.1.1.254

interface GigabitEthernet0/0

 ip address 172.16.1.2 255.255.255.252

 duplex auto

 speed auto

 media-type rj45

 crypto map Cisco_to_Fortinet

ip access-list extended vpn-traffic

 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 172.16.1.1

end

write mem

FortiGate IPsec Tunnel Configuration: -

Step 1: Configuring the Remote Gateway IP Address (Here I have chosen my WAN interface).

Phase-1

Step 2: Configuring the Pre-Share Key & and the encryption type (Here I have chosen DES-MD5 as my encryption technique).

Phase-2

Step 3: Configuring the Phase-2 Local LAN and Remote LAN Address. (Here I have my local LAN of 192.168.1.0/24 under the FortiGate firewall and my Remote LAN of 10.1.1.0/24 under the Cisco Router)

Step 4: Configuring the Phase-2 Encryption method (Here I have chosen DES-MD5 as my encryption technique and the key lifetime same as the Cisco side router)

Step 5: Configuring the Policy for incoming and Outgoing traffic through the tunnel (Here I have created two policies one is the incoming i.e., TUNNEL_TO_LAN, and the other one is outgoing i.e., LAN_TO_TUNNEL)

Step 6: Configuring the Static IP route towards the Remote Site towards the VPN tunnel.

 

Note: This document has been made on the basis of a Virtual Machine using Eve-Ng emulator environment. I would request to please follow the official vendor document before doing it in a Real-world environment as the scenario may differ in the Real world.