In this topic I will show how it is possible to communicate between fortigate and mikrotik using IPSec. For this occasion, only Mikrotik has a public IP.
VPN>IPSec Wizard> choose the custom tunnel.
Give him a name
select your network interface, put the IP address of your mikrotik in the IP ADDRESSES field
Following this configuration
Generate a strong password
Because I'm using a fortgate trial license, I don't have many options for encryption and authentication, so I adapted mikrotik to the reality of my fortigate on this occasion.
But it is recommended that you always use more complex algorithms.
phase1,
for phase 2, I increased the strength of the authentication algorithm a little.
It is extremely important that you keep in mind the networks of Site A and Site B that you want to communicate, in this case my local network (Fortigate) that I will share with my mikrotik is 192.168.72.0/24, and the network from my mikrotik that I want to reach on my fortigate is 192.168.254.0/24
The "lifetime" i will go giver the default time.
Now, with your tunnel create, you need now create route rule, and access rule.
Create static route to remote network.
Enable in system>feature visibility> Multiple Interface Policies, this will go allow that you can put more than two interfaces in a unique access rule.
Now, you can go to the Policy&objects>Firewall Policy create;
If you don't want to allow all traffic, you don't need to follow the previous step. Create the rule in the direction you will need access, and if desired, filter the protocols that will be trafficked.
OBS: Disable NAT on this policie.
Once this part is complete, you can go to mikrotik and start configuring your Site to site VPN policy.
In mikrotik the configuration structure is segmented into some sessions, so it is important to be aware of what needs to be configured
To start, I will create our security profile in ip>ipsec>profile
Now it will be necessary to create the peer in ip>ipsec>peer
As our fortigate does not have a public IP, we will not add an IP address
To finish phase 1, we will go to the "identity", and place the secret key that was defined back there in our fortigate.
It is important to keep in mind that Mikrotik and Fortigate are different devices that use slightly different parameters when talking about network sharing through a site-to-site ipsec tunnel.
Mikrotik, through the policy, receives the network addressing information and protocol that will be used, if you do not select the generate policy option, with the port override option, mikrotik will only establish the session in phase 2 when it receives this information from fortigate , and there is a big problem, fortigate will not send this information.
If you don't check this option, you will see exactly this error on your mikrotik
Now, let's continue with phase 2 ip>ipsec>proposal
To finalize your ipsec policy, you must enter the subnet you want to access, and from where you want to access these subnets.
On action, choose your proposal that you create before
Finally, it is very important that you remember that Mikrotik should not route this traffic, so it is very important that you create a bypass rule in your nat to prevent this from happening.
ip>firewall>nat>add
Your action needs to be "accept", put this rule over your nat rule;
and now, it's finish, you can try ping for your mikrotik through your fortigate;
and you can do the same in reverse
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
So ede, thank you very much for your contribution, about multiple interface by policie, I agree with you, but in this case i'm using a evaluation license, this makes things a little more difficult when it comes to creating several policies lol. So in this case the most interesting thing was to put a single policy with the interfaces that I need for communication. About the routes, it's actually a good point, but as the idea was to make it as didactic as possible, I ended up not using routable address objects, but here's the tip. We even have a good topic about this here in the community;
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-routes-with-address-objects-or-grou...
Regarding your last point, for each additional subnet in mikrotik, you will need to create a new IPSec police specifying the source and destination networks again with a same proposal.
Thanks for sharing.
Thanks sharing, especially the Mikrotik stuff. Rarely met in the wild but now we have a recipe.
One caveat, though:
you enabled "multi-interface policies". This generally has more disadvantages than are visible at first glance. Besides, it's not necessary here.
First, enabling multiple interfaces in a policy comes at a cost, you lose the interface-pair view of the policy table. This might not be dramatic with 20 policies, but as the table grows it becomes cumbersome. It puts the burden of finding the exact location when inserting or finding a specific policy unto the admin. Wrong placement, different effect.
Second, if you enable multiple interfaces you as well enable the "all" interface. Which is downright dangerous. Just think of dynamically created interfaces from VPN, they are included in "all" as well. Do you think of these policies when creating a VPN?
So, in your case, you only use this feature to avoid creating 2 instead of 1 policy, mixing up inbound and outbound streams on top. Be assured that processing hundreds of policies will happen with the same latency as processing only one, on a FGT. There really is no need to confuscate things here.
One last hint: if you use _routeable_ address objects for the local and the remote networks (or address groups if multiple), you could use them in
- phase2 selectors
- policies
- static routes
This way, there is only one central spot where you maintain the addresses, less chances of mistyping and it's very easy to add more protected networks later. The mikrotik side doesn't have to know about that. It would be interesting to know if you have to create one phase2 for each subnet or if you could use an address group in one phase2 here. Cisco devices need the "one phase2 per subnet" setup.
So ede, thank you very much for your contribution, about multiple interface by policie, I agree with you, but in this case i'm using a evaluation license, this makes things a little more difficult when it comes to creating several policies lol. So in this case the most interesting thing was to put a single policy with the interfaces that I need for communication. About the routes, it's actually a good point, but as the idea was to make it as didactic as possible, I ended up not using routable address objects, but here's the tip. We even have a good topic about this here in the community;
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-routes-with-address-objects-or-grou...
Regarding your last point, for each additional subnet in mikrotik, you will need to create a new IPSec police specifying the source and destination networks again with a same proposal.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1094 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.