Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pscpe
New Contributor

Fortigate with Mikrotik Site to site - Fortigate without public ip

In this topic I will show how it is possible to communicate between fortigate and mikrotik using IPSec. For this occasion, only Mikrotik has a public IP.

 

Step1;

VPN>IPSec Wizard> choose the custom tunnel. 

Give him a name

 

image.png

select your network interface, put the IP address of your mikrotik in the IP ADDRESSES field

 

image.png

Following this configuration

 

image.png

Generate a strong password

 

image.png

 

Because I'm using a fortgate trial license, I don't have many options for encryption and authentication, so I adapted mikrotik to the reality of my fortigate on this occasion.
But it is recommended that you always use more complex algorithms. 

 

phase1, 

 

image.png

 

for phase 2, I increased the strength of the authentication algorithm a little. 

It is extremely important that you keep in mind the networks of Site A and Site B that you want to communicate, in this case my local network (Fortigate) that I will share with my mikrotik is 192.168.72.0/24, and the network from my mikrotik that I want to reach on my fortigate is 192.168.254.0/24

 

image.png

 

The "lifetime" i will go giver the default time.

 

Now, with your tunnel create, you need now create route rule, and access rule.

 

image.png

 

Step 2; 

Create static route to remote network. 

 

image.png

 

Step 3; 

Enable in system>feature visibility> Multiple Interface Policies, this will go allow that you can put more than two interfaces in a unique access rule.

 

 image.png

 

Now, you can go to the Policy&objects>Firewall Policy create; 

If you don't want to allow all traffic, you don't need to follow the previous step. Create the rule in the direction you will need access, and if desired, filter the protocols that will be trafficked.

OBS: Disable NAT on this policie.

 

 image.png

 

 Once this part is complete, you can go to mikrotik and start configuring your Site to site VPN policy.

 

In mikrotik the configuration structure is segmented into some sessions, so it is important to be aware of what needs to be configured

 

Step 4;

To start, I will create our security profile in ip>ipsec>profile

 

image.png

 

Now it will be necessary to create the peer in ip>ipsec>peer

 

As our fortigate does not have a public IP, we will not add an IP address

 

image.png

 

To finish phase 1, we will go to the "identity", and place the secret key that was defined back there in our fortigate.

It is important to keep in mind that Mikrotik and Fortigate are different devices that use slightly different parameters when talking about network sharing through a site-to-site ipsec tunnel.
Mikrotik, through the policy, receives the network addressing information and protocol that will be used, if you do not select the generate policy option, with the port override option, mikrotik will only establish the session in phase 2 when it receives this information from fortigate , and there is a big problem, fortigate will not send this information.


image.png

 

If you don't check this option, you will see exactly this error on your mikrotik

 

image.png

 

Now, let's continue with phase 2 ip>ipsec>proposal

 

image.png

 

To finalize your ipsec policy, you must enter the subnet you want to access, and from where you want to access these subnets.

 

image.png

On action, choose your proposal that you create before

 

 image.png

 

Finally, it is very important that you remember that Mikrotik should not route this traffic, so it is very important that you create a bypass rule in your nat to prevent this from happening.

ip>firewall>nat>add 

 

image.png

Step 5;

Your action needs to be "accept", put this rule over your nat rule; 

 

image.png

 

and now, it's finish, you can try ping for your mikrotik through your fortigate;

 

image.png 

 

and you can do the same in reverse

 

image.png

 

1 Solution
pscpe
New Contributor

So ede, thank you very much for your contribution, about multiple interface by policie, I agree with you, but in this case i'm using a evaluation license, this makes things a little more difficult when it comes to creating several policies lol. So in this case the most interesting thing was to put a single policy with the interfaces that I need for communication. About the routes, it's actually a good point, but as the idea was to make it as didactic as possible, I ended up not using routable address objects, but here's the tip. We even have a good topic about this here in the community; 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-routes-with-address-objects-or-grou...
Regarding your last point, for each additional subnet in mikrotik, you will need to create a new IPSec police specifying the source and destination networks again with a same proposal.

View solution in original post

3 REPLIES 3
hbac
Staff
Staff

Thanks for sharing.

ede_pfau
SuperUser
SuperUser

Thanks sharing, especially the Mikrotik stuff. Rarely met in the wild but now we have a recipe.

 

One caveat, though:

you enabled "multi-interface policies". This generally has more disadvantages than are visible at first glance. Besides, it's not necessary here.

 

First, enabling multiple interfaces in a policy comes at a cost, you lose the interface-pair view of the policy table. This might not be dramatic with 20 policies, but as the table grows it becomes cumbersome. It puts the burden of finding the exact location when inserting or finding a specific policy unto the admin. Wrong placement, different effect.

 

Second, if you enable multiple interfaces you as well enable the "all" interface. Which is downright dangerous. Just think of dynamically created interfaces from VPN, they are included in "all" as well. Do you think of these policies when creating a VPN?

 

So, in your case, you only use this feature to avoid creating 2 instead of 1 policy, mixing up inbound and outbound streams on top. Be assured that processing hundreds of policies will happen with the same latency as processing only one, on a FGT. There really is no need to confuscate things here.

 

One last hint: if you use _routeable_ address objects for the local and the remote networks (or address groups if multiple), you could use them in

- phase2 selectors

- policies

- static routes

 

This way, there is only one central spot where you maintain the addresses, less chances of mistyping and it's very easy to add more protected networks later. The mikrotik side doesn't have to know about that. It would be interesting to know if you have to create one phase2 for each subnet or if you could use an address group in one phase2 here. Cisco devices need the "one phase2 per subnet" setup.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
pscpe
New Contributor

So ede, thank you very much for your contribution, about multiple interface by policie, I agree with you, but in this case i'm using a evaluation license, this makes things a little more difficult when it comes to creating several policies lol. So in this case the most interesting thing was to put a single policy with the interfaces that I need for communication. About the routes, it's actually a good point, but as the idea was to make it as didactic as possible, I ended up not using routable address objects, but here's the tip. We even have a good topic about this here in the community; 
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-routes-with-address-objects-or-grou...
Regarding your last point, for each additional subnet in mikrotik, you will need to create a new IPSec police specifying the source and destination networks again with a same proposal.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors