Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
1
Helpful
3
Replies

Migrating IPSec tunnel

Go to solution
MBestt
Level 1
Level 1

‎03-28-2024 05:14 AM

Hello,

I have a question about migrating a IPSec tunnel from between a Cisco C981F-k9 and a Cisco ASA firewall to a tunnel from the same Cisco C981F-k9 router to a Fortigate firewall. What is the 'best' way to migrate this tunnel?

Currently I have configured the tunnel with IKEv1, the configuration is shown below:

crypto isakmp policy 2
encr aes
authentication pre-share
group 14
lifetime 28800
crypto isakmp key xxxx address x.x.x.x

crypto ipsec transform-set ESP_3DES_SHA esp-aes 256 esp-sha-hmac
mode tunnel

crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set transform-set ESP_3DES_SHA
match address 100

interface Dialer1
crypto map SDM_CMAP_1

access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.58.0 0.0.0.255 192.168.61.0 0.0.0.255
access-list 100 permit ip 192.168.58.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 100 permit ip 192.168.58.0 0.0.0.255 192.168.47.0 0.0.0.255
access-list 100 permit ip 192.168.58.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 100 permit ip 192.168.58.0 0.0.0.255 192.168.49.0 0.0.0.255

The subnets that are allowed in the access-list are located behind the Cisco ASA firewall, but eventually be located behind the Fortigate, because the Cisco ASA firewall will be replaced with a Fortigate firewall.

What is the best way to convert the tunnel from the Cisco ASA to the Fortigate. Is this by configuring a second tunnel to the Fortigate and then removing the cryptomap on the Dialer1 interface that is creating the tunnel to the ASA and then adding the new cryptomap that is creating the tunnel to the Fortigate? Or is there a better way to approach the migration?

Kind regards,

MBestt

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to MBestt

‎03-29-2024 01:11 AM 

 I want to know the best way to remove the tunnel to the ASA and configure the tunnel to the Fortigate.

If you like to use SAME IP address and other stuff, there is no other way for you here, you need to configure Offline Fortinet and remove ASA (in maintenance window) introduce Fortinet and do testing. (if any issue collect all the Logs and fix and move forward - if this is critical after collecting the logs and troubleshooting still not working  - ASA still available in the place to role back) 

But what is the 'best' whey to transform the current tunnel in the Cisco router is my question.

i explained what we do in best way worked for me. (I am also thinking you can build 2 Tunnels one for ASA and Fortinet, but Local subnets are same that is limitation) - but if that option available for you - been Long time touched 891 router and can support.

And I think that the Forticonverter isn't a good tool that helps with migrating VPN tunnels from ASA to Fortigate.

sure understood - every Migration tool can not give 100% like a like swift - there we need to do some manual intervention to fix.

Have not come across any cross vendor tool including cisco 100% lift and shift the config with out any adjustment (my experience).

Hope that help you. 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-28-2024 07:48 AM

that should be simple config, you can manullay config on Fortinet for only tunnel.

if you looking asa to fortinet - i used for one of migration below tool good :

https://docs.fortinet.com/product/forticonverter/7.0

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MBestt
Level 1
Level 1
In response to balaji.bandi

‎03-28-2024 08:51 AM

That is not exactly where I am looking for. I want to know the best way to remove the tunnel to the ASA and configure the tunnel to the Fortigate. On how to setup the tunnel on the Fortigate is clear to me. But what is the 'best' whey to transform the current tunnel in the Cisco router is my question.

And I think that the Forticonverter isn't a good tool that helps with migrating VPN tunnels from ASA to Fortigate.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to MBestt

‎03-29-2024 01:11 AM 

 I want to know the best way to remove the tunnel to the ASA and configure the tunnel to the Fortigate.

If you like to use SAME IP address and other stuff, there is no other way for you here, you need to configure Offline Fortinet and remove ASA (in maintenance window) introduce Fortinet and do testing. (if any issue collect all the Logs and fix and move forward - if this is critical after collecting the logs and troubleshooting still not working  - ASA still available in the place to role back) 

But what is the 'best' whey to transform the current tunnel in the Cisco router is my question.

i explained what we do in best way worked for me. (I am also thinking you can build 2 Tunnels one for ASA and Fortinet, but Local subnets are same that is limitation) - but if that option available for you - been Long time touched 891 router and can support.

And I think that the Forticonverter isn't a good tool that helps with migrating VPN tunnels from ASA to Fortigate.

sure understood - every Migration tool can not give 100% like a like swift - there we need to do some manual intervention to fix.

Have not come across any cross vendor tool including cisco 100% lift and shift the config with out any adjustment (my experience).

Hope that help you. 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents