Fortinet black logo

Cookbook

IPSec VPN between a FortiGate and a Cisco ASA with multiple subnets

Copy Link
Copy Doc ID 5be0d1a4-3f0d-11eb-96b9-00505692583a:666100
Download PDF

IPSec VPN between a FortiGate and a Cisco ASA with multiple subnets

When a Cisco ASA unit has mutiple subnets configured, multiple phase 2's must be created on the FortiGate, and not just multiple subnets.

This is because the FortiGate uses the same SPI value to bring up the phase 2 for all of the subnets, while the Cisco ASA expects different SPI values for each of its configured subnets. Using multiple phase 2's on the FortiGate creates different SPI values for each subnet.

To configure multiple phase 2 interfaces in route-based mode:
config vpn ipsec phase2-interface
    edit "First subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.227.253 255.255.255.255
        set dst-subnet 10.142.0.0 255.255.254.0
    next
    edit "Second subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.227.253 255.255.255.255
        set dst-subnet 10.143.0.0 255.255.254.0
    next
end
To configure multiple phase 2 interfaces in policy-based mode:
config vpn ipsec phase2
    edit "First subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.227.253 255.255.255.255
        set dst-subnet 10.142.0.0 255.255.254.0
    next
    edit "Second subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.227.253 255.255.255.255
        set dst-subnet 10.143.0.0 255.255.254.0
    next
end

IPSec VPN between a FortiGate and a Cisco ASA with multiple subnets

When a Cisco ASA unit has mutiple subnets configured, multiple phase 2's must be created on the FortiGate, and not just multiple subnets.

This is because the FortiGate uses the same SPI value to bring up the phase 2 for all of the subnets, while the Cisco ASA expects different SPI values for each of its configured subnets. Using multiple phase 2's on the FortiGate creates different SPI values for each subnet.

To configure multiple phase 2 interfaces in route-based mode:
config vpn ipsec phase2-interface
    edit "First subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.227.253 255.255.255.255
        set dst-subnet 10.142.0.0 255.255.254.0
    next
    edit "Second subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.227.253 255.255.255.255
        set dst-subnet 10.143.0.0 255.255.254.0
    next
end
To configure multiple phase 2 interfaces in policy-based mode:
config vpn ipsec phase2
    edit "First subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.227.253 255.255.255.255
        set dst-subnet 10.142.0.0 255.255.254.0
    next
    edit "Second subnet"
        set phase1name "VPN to Cisco"
        set src-subnet 192.168.227.253 255.255.255.255
        set dst-subnet 10.143.0.0 255.255.254.0
    next
end