Network diagram:

Configuration FortiGate:

Create IPsec phases and tunnels.

• Navigate to VPN -> IPsec Tunnels, select Create New, and set the Template Type to Custom.
• Then, follow the detailed reference guide below.

RouterOS Configuration using Winbox:

• All configuration is done in the IP -> IPsec section using Winbox.
• First, create the IPsec Profile, where the IKE proposal is defined.
  
  

• In the next step, create a new IPsec Proposal for phase 2 encryption.
• No Auth. Algorithms are needed since used AES-256-GCM as the encryption algorithm, which already includes the authentication.
  
  

• For the peer configuration, set the name, IP address, IPsec profile, and Exchange Mode to IKEv2.

• To set the authentication method using a pre-shared key, add a new IPsec Identity.
  
  

• Next, define which networks will communicate with each other through the VPN tunnel.

• In the final step, select the IPsec Proposal named FortiGate to apply the correct encryption for phase 2 / ESP.

Monitoring the status of the IPsec Tunnel on FortiGate and Mikrotik:

FortiGate:

Mikrotik:

Test the remote end connectivity.

The IPsec site-to-site VPN is confirmed to be up; however, traffic must be initiated to verify whether it is functioning correctly.

To test connectivity from the MikroTik LAN side:

1. Navigate to MikroTik → Tools → Ping
2. Configure the following parameters:
• Ping to: 192.168.100.1 (FortiGate LAN IP)
• Interface: bridge1
• Packet count: 5
3. Select Start.

If it is configured correctly, an ICMP response will be received. Otherwise, a timeout will occur.

In this case, an ICMP response is received, indicating that the tunnel is up and operational.