Skip to main content
DamianLozano
DamianLozano
New Member
July 29, 2020
Question

IPsec VPN between Fortigate and Mikrotik

  • July 29, 2020
  • 2 replies
  • 28317 views

Hello, I tried to create for first time a VPN between a Fortigate 60E (v5.6.0) and a Mikrotik CCR1009-7G-1C-1S+ (v6.45.7) but with issues Used the following "guide": https://www.fastbit.ro/en/ipsec-site-to ... Sec%20Peer. Many menues are very different in many versions of routeros and I found everything different The first thing that catches my attention is that the "guide" asked me to create an ipsec policy, specifying the local and remote networks, I have created this, however when I see the policy, it appears with 0.0.0.0/0 as source address and the remote public IP as destination address, and dont let me change the values In the fortigate I have another IPsec VPN with other fortigate device, which is working This is the VPN setting in the Mikrotik:

/ip ipsec profile
add dh-group=modp1536 enc-algorithm=3des name=profileTemp
/ip ipsec peer
add address=remotePublicIP/32 name=peerTemp profile=profileTemp
/ip ipsec proposal
add enc-algorithms=3des lifetime=1d name=proposaltemp pfs-group=modp1536
/ip ipsec identity
add peer=peerTemp secret=Argentina20
/ip ipsec policy
add dst-address=190.111.200.154/32 peer=peerTemp proposal=proposaltemp src-address=0.0.0.0/0

I made a debug in the fortigate and get the following: 

diagnose debug enable
diagnose debug application ike -1

fgt60e-iga01 # ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
ike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:bf4ddd3d len=92
ike 0: in DCD2166064C689C55C05337671EB29A808100501BF4DDD3D0000005CF6EEE2129F004C024770A4F7EC1660535C35E6FF0149DFF8B8A6D8EA577D7FC8609D202CE3274B5DB6C9444563528ED5D17F1EB9D4A9B211E89B306B1F422999
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A808100501BF4DDD3D0000005C0B00001842EAD06BCC1C1648A9EE1B77E291F050E384E63F000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691B65DC2EF2D447A507
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A8081005018D693DF2000000540B00001860924C304E7F5B65BB1DC5AAD7BFF41FB5BA8D8B000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691B
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A8081005018D693DF20000005CECCAE8EDADB77DABA6CEEB5EC49E4B69E91A960E1EDCCFB6F14361076095048978842EEC1EFA4521086B4F24FB6F5DF3E11A84C17731D76677B3B1570FB5E8BB
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:8d693df2
ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
ike 0: comes MKTpublicIP:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=e223d3ab5154f152/0000000000000000 len=344
ike 0: in E223D3AB5154F15200000000000000000110020000000000000001580D00003800000001000000010000002C010100010000002401010000800B0001000C000400015180800100058003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
ike 0:e223d3ab5154f152/0000000000000000:665: responder: main mode get 1st message...
ike 0:e223d3ab5154f152/0000000000000000:665: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:e223d3ab5154f152/0000000000000000:665: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:e223d3ab5154f152/0000000000000000:665: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:VPNnotWorking: ignoring IKE request, no policy configured
ike 0:e223d3ab5154f152/0000000000000000:665: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:e223d3ab5154f152/0000000000000000:665: no SA proposal chosen
ike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:7f92927e len=92
ike 0: in DCD2166064C689C55C05337671EB29A8081005017F92927E0000005C23E9E8BA922224E27410752A322D3C8F5078295313576A969995532EA5726D4645261202E16911BDF31BCE93EB53F1E49ABA13F5F5CC477A366A865642046B3F
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A8081005017F92927E0000005C0B000018A0F62FB15CB9A23E70193206725F7749387191C8000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691C38D41073DB07FB07
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A80810050115C5C594000000540B0000182BC0C54DEF16A64BDE0474940F4DAB0AFB1B3B28000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691C
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A80810050115C5C5940000005C9E37C0FEBE0D9F6DA2FFD0CBEEC540C9F7846B962BAD08D18817ED83E6F3875F647F92D107C734926113F64CCBC3B11BFB2E70E91AC57A9E553C906B490F5547
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:15c5c594
ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
ike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:4c9d7d25 len=92
ike 0: in DCD2166064C689C55C05337671EB29A8081005014C9D7D250000005CF8C4A1D282BB7CBBEEFE1DCBB527662543A776DAC5FCBBD6D7262133D4AB4B44BCEABC49BEC68566C401B6371377C0D34D87363B6666E4448774A5444231915D
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A8081005014C9D7D250000005C0B000018F2E3F9AED40BDA510EBD40639643AEE60BCC1BC7000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691D54A4BFDB8EC5AB07
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A808100501F5A92033000000540B0000187429C914D0BCEE87A3DF44E84ED729C39315D144000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691D
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A808100501F5A920330000005C14D21895B0664AA669F4F3EA38F01236EE35ACEBA85ED67C5766AE4C856E311530448E00FB67F559E2B0988FE1C5ABFFE6ADD7D4B9A0CCF3A5484AB2991D587E
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:f5a92033
ike 0:VPNnotWorking: gw negotiation timeout
ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
ike 0: comes MKTpublicIP:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=e223d3ab5154f152/0000000000000000 len=344
ike 0: in E223D3AB5154F15200000000000000000110020000000000000001580D00003800000001000000010000002C010100010000002401010000800B0001000C000400015180800100058003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
ike 0:e223d3ab5154f152/0000000000000000:666: responder: main mode get 1st message...
ike 0:e223d3ab5154f152/0000000000000000:666: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:e223d3ab5154f152/0000000000000000:666: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:e223d3ab5154f152/0000000000000000:666: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:VPNnotWorking: ignoring IKE request, no policy configured
ike 0:e223d3ab5154f152/0000000000000000:666: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:e223d3ab5154f152/0000000000000000:666: no SA proposal chosen
 
fgt60e-iga01 # ike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:de0a8ecb len=92
ike 0: in DCD2166064C689C55C05337671EB29A808100501DE0A8ECB0000005CCC2D99EAEC38155B2EBE42D6D05A10208A3C3AACB70CE8FF2B99ECC47E6137BDAABA52CED08EE7A99E0369BEB191C04AFE671B3869FD0147017D843592753E6B
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A808100501DE0A8ECB0000005C0B0000182B17852A73613B947EB56B68ECEB9CBFA3450EB4000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691E6C1A58ABDBC87D07
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A808100501D6B40B29000000540B000018FEA0F92D74FA46C5208DBAA51559C7334AB4A6B9000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691E
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A808100501D6B40B290000005C516C3BB76C362A610F630037159190A9CDAF6FF66769D51D369834FA294E0927CE8D32F927C922183C25B8112C251C86FD0B1C00B725FF5DD9ECB937438A4DFD
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:d6b40b29
ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
diaike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:f4d82f23 len=92
ike 0: in DCD2166064C689C55C05337671EB29A808100501F4D82F230000005CE48AE2C546372335306B6480FC2B370C4409B3CD8A52F3839805FA4A8F5F105F2FA616A53A4FB580ACFA9F5B3E4E4FCC9EBCB64BCB991B87AB9D27AE91063D20
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A808100501F4D82F230000005C0B000018C2C6970FFEFC4C6B53E9811EE21C53BD00CC9A9E000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691F2C2F7CC78E46D607
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A8081005010982D979000000540B000018D70F7978CD77A35EC43FF12ECF5710E493215746000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691F
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A8081005010982D9790000005C1AB43D21F31A9DF7E82CC81C4B5B34C71D19D605876CDB331F793B4A65E486090D9D23317AEFCD8D3D050C9C032F618C396A6172E654FF036289F1EE588367B5
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:0982d979
gnose deike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
bug disaike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:7bdddc9e len=92
ike 0: in DCD2166064C689C55C05337671EB29A8081005017BDDDC9E0000005C92E7F23C31876941DF781405208F0F4585937381F0B07ECCF952617C03C422DBEF425E65E8C86B1CED15F551FC5B22C971B6FE5DF592B2EE1B399B35279492D6
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A8081005017BDDDC9E0000005C0B00001857806043CA930CAC8F67B1BAD61876A4D2C17C75000000200000000101108D28DCD2166064C689C55C05337671EB29A80011692096A450E529E5C007
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A808100501078A66ED000000540B000018A3A469AF3EC99F5656C43A2843BB8A3BC1CD03CB000000200000000101108D29DCD2166064C689C55C05337671EB29A800116920
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A808100501078A66ED0000005CFCFF7B0D4CBEA1D1C511D05DDE738987CE3D49F39CBE5CCDD6ABB333E8722E5064ED7DE0756F6E3DBBDAF9C1C46D7AAB9AA23F2BBF59F4F7402CFC15C072C9B0
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:078a66ed
ble

 The fortigate tell me "No policy configured" do you know what policy is it talking about? Thanks in advance. Regards, Damián

 

    2 replies

    brycemd
    brycemd
    New Member
    July 30, 2020

    No policy configured typically means there isn't an ipv4 policy to actually allow the traffic, or a route to send traffic across the tunnel. If there isn't a firewall policy to allow or a route to send traffic, it prevents the tunnel from coming up since it wouldn't be able to send traffic across.

    DamianLozano
    DamianLozanoAuthor
    New Member
    July 30, 2020

    Thanks for your response,

     

    I have seen in some cases a rule with action "ipsec" from lan to wan, but in this fortigate I have not such action option.

     I thought that the rules to allow traffic through the VPN was not necessary to establish this, but I just created both rules to allow traffic from lan to vpn and vpn to lan

    This time I didnt get the no policy message, but I got the following:

    6353: notify msg received: NO-PROPOSAL-CHOSEN

     

    In the Mikrotik I had created a proposal with the same values that in the Fortigate

    Any idea?

     

    Thanks in advance.

    Regards,

    Damián

    sw2090
    SuperUser
    sw2090
    SuperUser
    July 30, 2020

    NO-PROPOSAL-CHOSEN usually means that your FGT and your Mikrotik didn't find a matching pair of proposals.

    Phase1 and Phase2 both have to match at least one pair of proposals.

    Also DH Group and Key TTL have to match on both sides.

     

    sw2090
    SuperUser
    sw2090
    SuperUser
    July 30, 2020

    The FGT says it hasno policy for that vpn. So go and create one on your FGT :)

    Terms & ConditionsAccessibility statement