Connecting fortigate to Mikrotik 450G IPSEC

This is resolved I have managed to fix it.

Bono, Would you be willing to share your setup info? I will be doing something similar shortly. Thanks.

Fortigate 50B 4.0 Patch 15 and Mikrotik 450G 3.02. For fortigate I' m missing pictures of policy, addresses and static route, but I think that is not relevant because you need to do this for VPN setup Forti >< Forti. Fortigate site PH1 and PH2, LAN IP: 192.168.1.0 Mikrotik side, local IP 192.168.0.0, in IP>Firewall>NAT route policy needs to be on top of the list. I think this is first setup that is working and was posted on the Internet, with this setup connection is stable and always on, atm 14hours is up. I hope I could find something like this so I wouldn' t spend half of day trying to figure it out in Mikrotik manual.[image][/image][image][/image][image][/image][image][/image]

Welcome to the forums, and thanks for sharing. The setup is quite straightforward as I see it, only the policy setup on the Mikrotik is a bit ' custom' . Just 2 hints: 1. Phase1 lifetime is 8 hours on the FGT, but 1 day on the router. 2. Consider using AES128 instead of AES256 for encryption. AES128 can be offloaded onto hardware whereas AES256 has to be calculated on the FGT' s CPU. Given the 50B you will do yourself a favor is you offload the encryption onto the ASIC. Wouldn' t make much difference security-wise. The DPD interval is way shorter on the FGT, like 10 seconds or so (I cannot remember the default interval right now), on the router you use 120 seconds. Should not interfere, though, the shorter interval wins. edit: you can check the offload status like this (example from an 80C):

 my-fw # diag vpn ipsec status  All ipsec crypto devices in use:  CP6          null:   0       0          des:    0       0          3des:   0       0          aes:    11872694        11873159          null:   0       0          md5:    0       0          sha1:   11872694        11873159          sha256: 0       0          sha384: 0       0          sha512: 0       0  SOFTWARE:          null:   0       0          des:    0       0          3des:   0       0          aes:    0       0          null:   0       0          md5:    0       0          sha1:   0       0          sha256: 0       0          sha384: 0       0          sha512: 0       0  

ldn' t make much difference security-wise.

Difference between two fortigate VPN connection and this one is that you have to modify in P2 source and destination network or in debug mode it says that networks do not match. Mikrotik reports correct network and FG reports 0.0.0.0/255.255.255.0 network. I have lowered AES encryption and everything works, I think mikrotik timeout didn' t matter much because it is set to obey FG rules and connection was stable. All ipsec crypto devices in use: CP6 null: 0 0 des: 0 0 3des: 0 0 aes: 5856 5859 null: 0 0 md5: 0 0 sha1: 5856 5859 sha256: 0 0 sha384: 0 0 sha512: 0 0 SOFTWARE: null: 0 0 des: 0 0 3des: 0 0 aes: 0 0 null: 0 0 md5: 0 0 sha1: 0 0 sha256: 0 0 sha384: 0 0 sha512: 0 0 Thanks

Hmm looks like my setup doesn' t work properly I can ping and reach mikrotik' s network, but from mikrotik I cannot reach fortigates side. On fortigate my policy is set to accept, does anybody have idea what could be wrong?

You' ve posted that you have ONE policy, from FGT to MT. For the other direction you just need another policy. (Policies do not ' filter' traffic but determine the direction in which sessions can be started.)

I have two policies one is from 192.168.0.x to 192.168.1.x and second policy is from 192.168.1.x to 192.168.0.x so that is covered. On mikrotik i added in addresses destination IP which got automatically added to IP route. So everything is covered just only one side works. :( EDIT: When I try to traceroute from mikrotik IP range 192.168.0.0 to forti IP range 192.168.1.0 route doesn' t go though VPN but trys to locate 192.168.1.1 on the Internet. This is just weird because I have set it on mikrotik to route it properly. EDIT2: It' s fixed I was pinging from shell and it used public interface instead of private, when I tried to ping from web interface and used private interface it works. Now I know why I use Fortigate I lost half of day figuring out why even though routing table is define mikrotik is trying to find 192.168.1.1 network on public interface. :( EDIT3: on this picture it needs to be 192.168.0.0/24 instead of 192.168.0.0 and 192.168.1.0/24 instead of 192.168.1.0, routing will work properly.