IPsec Tunnel Between FortiGate Firewall and Cisco Router

Cisco IPsec Tunnel Configuration: -

hostname WAN_ROUTER
Step_1: Hostname configured

Phase-1
crypto isakmp policy 2 Step_2: Internet Security Association
and Key Management Protocol
hash md5
Configured Protocol configured
authentication pre-share
group 2
crypto isakmp key Admin@123 address 172.16.1.1 Step_3: Isakmp Key
configured

Phase-2
crypto ipsec transform-set Cisco_to_Fortinet esp-des esp-md5-hmac
mode tunnel
Step_4: Setting up IPsec
tunnel mode and
transform set to “esp-des
esp-md5-hmac”
crypto map Cisco_to_Fortinet 2 ipsec-isakmp
set peer 172.16.1.1
set transform-set Cisco_to_Fortinet Step_5: Mapping the
match address vpn-traffic tunnel and setting up the
peer with the ACL and
IPsec
 DHCP pool configured for
ip dhcp pool LAN
Local LAN
network 10.1.1.0 255.255.255.0
default-router 10.1.1.254

interface GigabitEthernet0/0
ip address 172.16.1.2 255.255.255.252
duplex auto
speed auto
Step_6 : Configuring the
media-type rj45 interface and enabling it to
do tunnelling
crypto map Cisco_to_Fortinet

ip access-list extended vpn-traffic

Step_7 : Configuring the
permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
extended ACL and permitting
permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 the incoming and Outgoing
Interface for VPN

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

Step_7: ACL for natting the
inside source

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 172.16.1.1
end
Step_7: Pat configuration on
int gig0/0
Step_7: Default route
write mem configured for any network
FortiGate IPsec Tunnel Configuration: -
Step 1: Configuring the Remote Gateway IP Address (Here I have chosen my
WAN interface).
Phase-1
Step 2: Configuring the Pre-Share Key & and the encryption type (Here I
have chosen DES-MD5 as my encryption technique).
Phase-2
Step 3: Configuring the Phase-2 Local LAN and Remote LAN Address. (Here
I have my local LAN of 192.168.1.0/24 under the FortiGate firewall and my
Remote LAN of 10.1.1.0/24 under the Cisco Router)
Step 4: Configuring the Phase-2 Encryption method (Here I have chosen
DES-MD5 as my encryption technique and the key lifetime same as the Cisco
side router)
Step 5: Configuring the Policy for incoming and Outgoing traffic through the
tunnel (Here I have created two policies one is the incoming i.e.,
TUNNEL_TO_LAN, and the other one is outgoing i.e., LAN_TO_TUNNEL)
Step 6: Configuring the Static IP route towards the Remote Site towards the
VPN tunnel.

Note: This document has been made on the basis of a Virtual Machine using Eve-Ng
emulator environment. I would request to please follow the official vendor document
before doing it in a Real-world environment as the scenario may differ in the Real world.