| Solution |
Network diagram:
Configuration FortiGate:
Create IPsec phases and tunnels.
- Navigate to VPN -> IPsec Tunnels, select Create New, and set the Template Type to Custom.
- Then, follow the detailed reference guide below.
RouterOS Configuration using Winbox:
- All configuration is done in the IP -> IPsec section using Winbox.
- First, create the IPsec Profile, where the IKE proposal is defined.
- In the next step, create a new IPsec Proposal for phase 2 encryption.
- No Auth. Algorithms are needed since used AES-256-GCM as the encryption algorithm, which already includes the authentication.
- For the peer configuration, set the name, IP address, IPsec profile, and Exchange Mode to IKEv2.
- To set the authentication method using a pre-shared key, add a new IPsec Identity.
- Next, define which networks will communicate with each other through the VPN tunnel.
- In the final step, select the IPsec Proposal named FortiGate to apply the correct encryption for phase 2 / ESP.
Monitoring the status of the IPsec Tunnel on FortiGate and Mikrotik:
FortiGate:
Mikrotik:
Test the remote end connectivity.
The IPsec site-to-site VPN is confirmed to be up; however, traffic must be initiated to verify whether it is functioning correctly.
To test connectivity from the MikroTik LAN side:
- Navigate to MikroTik → Tools → Ping
- Configure the following parameters:
- Ping to: 192.168.100.1 (FortiGate LAN IP)
- Interface: bridge1
- Packet count: 5
- Select Start.
If it is configured correctly, an ICMP response will be received. Otherwise, a timeout will occur.
In this case, an ICMP response is received, indicating that the tunnel is up and operational.
|
