Hello,
I have fortigate installed in Azure and Mikrotik on our On-prem datacenter. I would like to configure IPSec over GRE VPN between them. Phase 1 is establishing without problem, but Phase 2 doesn't go up.
I use this article:
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/799752/gre-over-ipsec
Here is Azure fortigate configuration:
config vpn ipsec phase1-interface
edit "gre-tunnel1"
set interface "port1"
set peertype any
set net-device disable
set proposal aes256-sha512
set dhgrp 14
set remote-gw 178.54.*.*
set psksecret ******
config vpn ipsec phase2-interface
edit "gre-tunnel1"
set phase1name "gre-tunnel1"
set proposal aes256-sha512
set dhgrp 14
set protocol 47
set keylifeseconds 28800
edit "gre-tunnel1"
set vdom "root"
set ip 10.225.252.1 255.255.255.255
set type tunnel
set remote-ip 10.225.252.2 255.255.255.252
set snmp-index 7
set interface "port1"
config system gre-tunnel
edit "gre-to-rem"
set interface "gre-tunnel1"
set remote-gw 10.225.252.2
set local-gw 10.225.252.1
edit 3
set uuid 935c31dc-1ee9-51ee-bfbd-5952d3420438
set srcintf "gre-tunnel1"
set dstintf "gre-tunnel1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
edit 4
set name "Permit-from-Azure"
set uuid 0ed3dc98-1eea-51ee-3e91-26273c7326e3
set srcintf "port2"
set dstintf "gre-to-rem"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
edit 5
set name "Permit-to-Azure"
set uuid 20ee78de-1eea-51ee-7e88-e77467246117
set srcintf "gre-to-rem"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
Here is mikrotik side:
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=8h name=azure-test-profile
/ip ipsec peer
add address=20.8.*.*/32 local-address=178.54.*.* name=azure-test-peer profile=azure-test-profile
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc lifetime=8h name=azure-test-proporsal pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-strict peer=azure-test-peer secret=kN#n2biOQi7P93xC6MmPaO%P4O
/ip ipsec policy
add dst-address=20.8.*.*/32 peer=azure-test-peer proposal=azure-test-proporsal protocol=gre src-address=178.54.*.*/32
/interface gre
name="azure-test" mtu=auto actual-mtu=1476 local-address=178.54.*.* remote-address=20.8.*.* dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=no
/ip address
10.225.252.2/30 10.225.252.0 azure-test
Do I need to add anything or change?
Solved! Go to Solution.
I did like showed in this article and VPN works now:
Hi,
Could you enable the below settings.
config system settings set allow-subnet-overlap enable next end
Otherwise your FGT configuration looks fine here, but please provide the VPN logs if possible to check further. Also I would request you to validate the Mikrotik configuration as well and make sure they are aligned.
Regards
config system gre-tunnel
edit "gre-to-rem"
set interface "gre-tunnel1"
set remote-gw 10.225.252.2
set local-gw 10.225.252.1
I changed remote and local address from Local IP address to the Global IP and Tunnel went up.
I Mean config system gre-tunnel
edit "gre-to-rem"
set interface "gre-tunnel1"
set remote-gw 178.54.*.*
set local-gw 20.8.*.*
Now tunnel is up, I see counter of Incoming data is increasing, but outgoing data is 0.
No sure why, Route is added, policy also granted.
Hi,
Could you please send me your Final configuration (including the routing configuration) and if possible, please send the traffic debug logs.
Meanwhile you could make below change and test ( Note: Make sure you backup your existing configuration before making the changes)
config system settings
set allow-subnet-overlap enable
next
end
config system interface
delete ""gre-tunnel1"
edit "gre-to-rem"
set type tunnel
set ip 10.225.252.1 255.255.255.255
set remote-ip 10.225.252.2 255.255.255.252
set interface "gre-tunnel1"
next
end
Also make sure your route configuration on Fortigate is correctly configured to forward the traffic to right interface. Final Destination route should point to GRE interface.
Regards,
Created on 07-11-2023 07:00 AM Edited on 07-11-2023 07:01 AM
forti-FGT # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.225.255.1, port1, [1/0]
S 10.225.0.0/16 [10/0] via 10.225.254.1, port2, [1/0]
S 10.225.252.0/30 [5/0] via gre-tunnel1 tunnel 178.54.*.*, [1/0]
C 10.225.252.1/32 is directly connected, gre-tunnel1
C 10.225.254.0/24 is directly connected, port2
C 10.225.255.0/24 is directly connected, port1
S 172.16.48.0/24 [10/0] via gre-tunnel1 tunnel 178.54.*.*, [1/0]
There is route table of Fortigate
Hi,
This is not an official link from Fortinet, buy you may refer to this link if you haven't before.
https://www.linkedin.com/pulse/configuring-ipsec-gre-tunnel-between-fortios-645-routeros-denys/
I could see your settings are not matching to what is there in this document specially your interface configuration and the routing on Fortigate.
Regards,
Can you confirm this status is from which side (Fortigate or Mikrotik)? Can you take a capture of the esp packets and compare the SPI value with the SPI value you see under "diagnose vpn tunnel list"
Hello,
Mikortiks are notorious with their handling of IPsec.
If you don't see any outgoing traffic, make sure to clear all the connections that will appear on IP-> Firewall-> Connections, that have destination & source of the Public IP of Fortigate.
Then kill the connection from IP->IPsec->Active Peers and see if that fixes your problem.
Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.