Hello,
I have fortigate installed in Azure and Mikrotik on our On-prem datacenter. I would like to configure IPSec over GRE VPN between them. Phase 1 is establishing without problem, but Phase 2 doesn't go up.
I use this article:
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/799752/gre-over-ipsec
Here is Azure fortigate configuration:
config vpn ipsec phase1-interface
edit "gre-tunnel1"
set interface "port1"
set peertype any
set net-device disable
set proposal aes256-sha512
set dhgrp 14
set remote-gw 178.54.*.*
set psksecret ******
config vpn ipsec phase2-interface
edit "gre-tunnel1"
set phase1name "gre-tunnel1"
set proposal aes256-sha512
set dhgrp 14
set protocol 47
set keylifeseconds 28800
edit "gre-tunnel1"
set vdom "root"
set ip 10.225.252.1 255.255.255.255
set type tunnel
set remote-ip 10.225.252.2 255.255.255.252
set snmp-index 7
set interface "port1"
config system gre-tunnel
edit "gre-to-rem"
set interface "gre-tunnel1"
set remote-gw 10.225.252.2
set local-gw 10.225.252.1
edit 3
set uuid 935c31dc-1ee9-51ee-bfbd-5952d3420438
set srcintf "gre-tunnel1"
set dstintf "gre-tunnel1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
edit 4
set name "Permit-from-Azure"
set uuid 0ed3dc98-1eea-51ee-3e91-26273c7326e3
set srcintf "port2"
set dstintf "gre-to-rem"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
edit 5
set name "Permit-to-Azure"
set uuid 20ee78de-1eea-51ee-7e88-e77467246117
set srcintf "gre-to-rem"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
Here is mikrotik side:
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=8h name=azure-test-profile
/ip ipsec peer
add address=20.8.*.*/32 local-address=178.54.*.* name=azure-test-peer profile=azure-test-profile
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc lifetime=8h name=azure-test-proporsal pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-strict peer=azure-test-peer secret=kN#n2biOQi7P93xC6MmPaO%P4O
/ip ipsec policy
add dst-address=20.8.*.*/32 peer=azure-test-peer proposal=azure-test-proporsal protocol=gre src-address=178.54.*.*/32
/interface gre
name="azure-test" mtu=auto actual-mtu=1476 local-address=178.54.*.* remote-address=20.8.*.* dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=no
/ip address
10.225.252.2/30 10.225.252.0 azure-test
Do I need to add anything or change?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I did like showed in this article and VPN works now:
Hello, I can't even Ping IP address of tunnels. Not sure why...
On fortigate side I must to set IP address with 32 mask, but how I should set to mikrotik side?
I mean this one:
set type tunnel
set ip 10.225.252.1 255.255.255.255
set remote-ip 10.225.252.2 255.255.255.252
Created on 07-11-2023 05:00 AM Edited on 07-11-2023 05:02 AM
Hi,
Have configured NAT from Mikrotik side??? Also I can imagine that from Fortigate side there are policies that allows traffic from IPsec tunnel through the desired networks.
EDIT: Sorry just saw on the original post that there are indeed policies that allows traffic.
I tried to do NoNAT Policy on mikrotikm but the same
The NAT policy is mandatory. Sorry if I misguided you with this information above.
Have you tried the steps that I mentioned on my above post, to clear the connections from mikrotik???
I had many cases with IPsec tunnels established and no packets go through it and always been solved with the clearance of mikrotik's connections
Created on 07-11-2023 06:54 AM Edited on 07-11-2023 06:58 AM
I tried to kill sessions, but the same...
What kind of NAT rule do I need to add on Mikrotik?
chain=srcnat action=accept src-address=172.16.48.0/24 dst-address=10.225.2.0/24
I tried to do reconfiguration as showed in this article:
Now Tunnel is up, also I see Inbound\outbound traffic counters are increasing, but there are no any network access between this 2 devices....
I don't know what I can do now...
Hi,
When you say there is no network access between devices (your tunnel is up), it is bit confusing. Could you please clarify between which device you are having network access problem ? Please provide the logs for better understanding and analysis.
Regards,
Hello,
If you're experiencing IPSec VPN connectivity issues between a FortiGate firewall and a MikroTik router, you can follow below steps for initial troubleshooting
Check the VPN configuration on both the FortiGate and the MikroTik devices. Check that the authentication mechanisms, encryption algorithms, and pre-shared keys (PSKs) are the same on both ends.
Check that the firewall policies on both devices allow the IPSec VPN traffic. Check that the policies allow traffic from the VPN tunnel's source and destination IP addresses and ports.
ensure there are no connectivity issues between fortigate and microtik device.
Enable NAT traversal (NAT-T) on both ends if the FortiGate or MikroTik device is behind a NAT (Network Address Translation) device. NAT-T encapsulates VPN traffic within UDP packets, allowing it to transit over NAT devices.
Check the settings for the Phase 1 and Phase 2 proposals on both devices. Check that the encryption, authentication, and hashing algorithms on both ends are compatible and configured correctly.
To gather relevant VPN logs, enable debug logging on both the FortiGate and MikroTik devices. Examine the logs for any error messages or signs of connectivity or negotiation difficulties. This information can assist in determining the root cause of the problem.
You can refer below document as well for the deugging
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955
BR
I did like showed in this article and VPN works now:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1098 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.