Question
Cannot connect Fortigate to Mikrotik using Ipsec
Hi, I'm trying to connect Mikrotik with Fortigate using Gre over Ipsec but I'm stuck already on Ipsec Phase 1 exchange, maybe could anyone help me? Fortigate config:
config vpn ipsec phase1-interface
edit "ipsec_p1"
set interface "port16"
set ike-version 2
set local-gw FGT_WAN
set keylife 3600
set peertype any
set net-device disable
set proposal aes256-sha256
set dhgrp 21
set remote-gw MIKROTIK_WAN
set psksecret password
next
end
config vpn ipsec phase2-interface
edit "ipsec_p2"
set phase1name "ipsec_p1"
set proposal aes256-sha256
set dhgrp 21
set encapsulation transport-mode
set protocol 47
next
end
Mikrotik config:
/ip ipsec policy group
add name=group1
/ip ipsec profile> print
Flags: * - default
1 name="FGT" hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=ecp521 lifetime=1d
proposal-check=obey nat-traversal=yes dpd-interval=disable-dpd
/ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder
0 name="FGT" address=FGT_WAN/32 local-address=MIKROTIK_WAN port=500
profile=FGT exchange-mode=ike2 send-initial-contact=yes
/ip ipsec proposal> print
Flags: X - disabled, * - default
1 name="FGT" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s
pfs-group=ecp521
/ip ipsec identity> print
Flags: D - dynamic, X - disabled
peer=FGT auth-method=pre-shared-key secret="password" generate-policy=no
/ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
1 src-address=MIKROTIK_WAN/32 src-port=any dst-address=FGT_WAN/32 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no
proposal=FGT ph2-count=0
Fortigate debug:
FGT # ike 0: comes MIKROTIK_WAN:500->FORTIGATE_WAN:500,ifindex=22....
ike 0: IKEv2 exchange=SA_INIT id=7db77dde33559db9/0000000000000000 len=300
ike 0: in 7DB77DDE33559DB9000000000000000029202208000000000000012C2900001C000040058127764BBADB7244D1E0779C7B6DB9E7F017782D2800001C000040040C756A50A4894E77195676AE85309213A81D7AEA2200001CAF2203E8EE1329DDF0FCA70E3F6E459E34A50CBEFE0EEA7B2100008C0015000000019347E6A359CE73A61BAC722E10AAD7349FF180904339F3CBC0CDAF
ike 0:7db77dde33559db9/0000000000000000:296: responder received SA_INIT msg
ike 0:7db77dde33559db9/0000000000000000:296: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:7db77dde33559db9/0000000000000000:296: received notify type NAT_DETECTION_SOURCE_IP
ike 0:7db77dde33559db9/0000000000000000:296: incoming proposal:
ike 0:7db77dde33559db9/0000000000000000:296: proposal id = 1:
ike 0:7db77dde33559db9/0000000000000000:296: protocol = IKEv2:
ike 0:7db77dde33559db9/0000000000000000:296: encapsulation = IKEv2/none
ike 0:7db77dde33559db9/0000000000000000:296: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:7db77dde33559db9/0000000000000000:296: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:7db77dde33559db9/0000000000000000:296: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:7db77dde33559db9/0000000000000000:296: type=DH_GROUP, val=ECP521.
ike 0:7db77dde33559db9/0000000000000000:296: no proposal chosen
ike Negotiate SA Error: ike ike [10366]