In this topic I will show how it is possible to communicate between fortigate and mikrotik using IPSec. For this occasion, only Mikrotik has a public IP.
Step1;
VPN>IPSec Wizard> choose the custom tunnel.
Give him a name
select your network interface, put the IP address of your mikrotik in the IP ADDRESSES field
Following this configuration
Generate a strong password
Because I'm using a fortgate trial license, I don't have many options for encryption and authentication, so I adapted mikrotik to the reality of my fortigate on this occasion.
But it is recommended that you always use more complex algorithms.
phase1,
for phase 2, I increased the strength of the authentication algorithm a little.
It is extremely important that you keep in mind the networks of Site A and Site B that you want to communicate, in this case my local network (Fortigate) that I will share with my mikrotik is 192.168.72.0/24, and the network from my mikrotik that I want to reach on my fortigate is 192.168.254.0/24
The "lifetime" i will go giver the default time.
Now, with your tunnel create, you need now create route rule, and access rule.
Step 2;
Create static route to remote network.
Step 3;
Enable in system>feature visibility> Multiple Interface Policies, this will go allow that you can put more than two interfaces in a unique access rule.
Now, you can go to the Policy&objects>Firewall Policy create;
If you don't want to allow all traffic, you don't need to follow the previous step. Create the rule in the direction you will need access, and if desired, filter the protocols that will be trafficked.
OBS: Disable NAT on this policie.
Once this part is complete, you can go to mikrotik and start configuring your Site to site VPN policy.
In mikrotik the configuration structure is segmented into some sessions, so it is important to be aware of what needs to be configured
Step 4;
To start, I will create our security profile in ip>ipsec>profile
Now it will be necessary to create the peer in ip>ipsec>peer
As our fortigate does not have a public IP, we will not add an IP address
To finish phase 1, we will go to the "identity", and place the secret key that was defined back there in our fortigate.
It is important to keep in mind that Mikrotik and Fortigate are different devices that use slightly different parameters when talking about network sharing through a site-to-site ipsec tunnel.
Mikrotik, through the policy, receives the network addressing information and protocol that will be used, if you do not select the generate policy option, with the port override option, mikrotik will only establish the session in phase 2 when it receives this information from fortigate , and there is a big problem, fortigate will not send this information.
If you don't check this option, you will see exactly this error on your mikrotik
Now, let's continue with phase 2 ip>ipsec>proposal
To finalize your ipsec policy, you must enter the subnet you want to access, and from where you want to access these subnets.
On action, choose your proposal that you create before
Finally, it is very important that you remember that Mikrotik should not route this traffic, so it is very important that you create a bypass rule in your nat to prevent this from happening.
ip>firewall>nat>add
Step 5;
Your action needs to be "accept", put this rule over your nat rule;
and now, it's finish, you can try ping for your mikrotik through your fortigate;
and you can do the same in reverse
1 Solution
