VPN IPsec entre Cisco and FortiGate : configuration interopérable
·2 min read·301 words
VPN IPsec interopérable Cisco ↔ FortiGate : configuration IKEv2 with proposals alignés. Attention aux détails (DH group, lifetime, PFS). Guide step-by-step with troubleshooting. Cas fréquent en entreprise multi-vendor.
Parameters communs IKEv2 2026
- Encryption : AES-256-GCM (recommandé)
- Integrity : SHA-384
- DH Group : 19 (ECP-256) or 20 (ECP-384)
- PFS : DH 19
- Lifetime : 28800s (8h) phase 1, 3600s phase 2
- Mode : tunnel
Côté Cisco IOS-XE
- crypto ikev2 proposal PROP-IOS
- encryption aes-gcm-256
- integrity sha384
- group 19
- crypto ikev2 policy POL-IOS
- proposal PROP-IOS
- crypto ikev2 keyring KEY-FG
- peer FORTIGATE
- address 203.0.113.2
- pre-shared-key SharedKey123
- crypto ikev2 profile PROF-FG
- match identity remote address 203.0.113.2 255.255.255.255
- authentication remote pre-share
- authentication local pre-share
- keyring local KEY-FG
- crypto ipsec transform-set TS esp-gcm 256
- mode tunnel
- crypto ipsec profile IPSEC-PROF
- set transform-set TS
- set pfs group19
- set ikev2-profile PROF-FG
- interface Tunnel 0
- ip address 172.16.0.1 255.255.255.252
- tunnel source GigabitEthernet0/0
- tunnel mode ipsec ipv4
- tunnel destination 203.0.113.2
- tunnel protection ipsec profile IPSEC-PROF
Côté FortiGate
- config vpn ipsec phase1-interface
- edit "VPN-CISCO"
- set interface "port10"
- set ike-version 2
- set peertype any
- set remote-gw 203.0.113.1
- set psksecret SharedKey123
- set proposal aes256gcm-sha384
- set dhgrp 19
- next
- config vpn ipsec phase2-interface
- edit "VPN-CISCO-P2"
- set phase1name "VPN-CISCO"
- set proposal aes256gcm-sha384
- set dhgrp 19
- set src-subnet 192.168.1.0 255.255.255.0
- set dst-subnet 10.0.0.0 255.255.255.0
- next
Troubleshooting
- Cisco : show crypto ikev2 its (phase 1)
- Cisco : show crypto ipsec its (phase 2)
- debug crypto ikev2 error
- FortiGate : diagnose vpn ike gateway list
- FortiGate : diagnose vpn tunnel list
- Vérifier : ping to travers tunnel
Problèmes fréquents
- Proposals mismatch : vérifier encryption + integrity + DH sur les 2 côtés
- PSK différent
- NAT-T : activer sur les 2 côtés
- Firewall intermediate bloquant UDP 500/4500
- Proxy IDs (traffic selectors) ne matchent pas
Commander chez OPTINOC
Config VPN IPsec multi-vendor : Cisco, FortiGate, Palo Alto, Juniper, Stormshield. Diagnostic sous 2h.