- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSec Between Fortigate and Mikrotik
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec Between Fortigate and Mikrotik
Hello,
I have fortigate installed in Azure and Mikrotik on our On-prem datacenter. I would like to configure IPSec over GRE VPN between them. Phase 1 is establishing without problem, but Phase 2 doesn't go up.
I use this article:
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/799752/gre-over-ipsec
Here is Azure fortigate configuration:
config vpn ipsec phase1-interface
edit "gre-tunnel1"
set interface "port1"
set peertype any
set net-device disable
set proposal aes256-sha512
set dhgrp 14
set remote-gw 178.54.*.*
set psksecret ******
config vpn ipsec phase2-interface
edit "gre-tunnel1"
set phase1name "gre-tunnel1"
set proposal aes256-sha512
set dhgrp 14
set protocol 47
set keylifeseconds 28800
edit "gre-tunnel1"
set vdom "root"
set ip 10.225.252.1 255.255.255.255
set type tunnel
set remote-ip 10.225.252.2 255.255.255.252
set snmp-index 7
set interface "port1"
config system gre-tunnel
edit "gre-to-rem"
set interface "gre-tunnel1"
set remote-gw 10.225.252.2
set local-gw 10.225.252.1
edit 3
set uuid 935c31dc-1ee9-51ee-bfbd-5952d3420438
set srcintf "gre-tunnel1"
set dstintf "gre-tunnel1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
edit 4
set name "Permit-from-Azure"
set uuid 0ed3dc98-1eea-51ee-3e91-26273c7326e3
set srcintf "port2"
set dstintf "gre-to-rem"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
edit 5
set name "Permit-to-Azure"
set uuid 20ee78de-1eea-51ee-7e88-e77467246117
set srcintf "gre-to-rem"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
Here is mikrotik side:
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=8h name=azure-test-profile
/ip ipsec peer
add address=20.8.*.*/32 local-address=178.54.*.* name=azure-test-peer profile=azure-test-profile
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc lifetime=8h name=azure-test-proporsal pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-strict peer=azure-test-peer secret=kN#n2biOQi7P93xC6MmPaO%P4O
/ip ipsec policy
add dst-address=20.8.*.*/32 peer=azure-test-peer proposal=azure-test-proporsal protocol=gre src-address=178.54.*.*/32
/interface gre
name="azure-test" mtu=auto actual-mtu=1476 local-address=178.54.*.* remote-address=20.8.*.* dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=no
/ip address
10.225.252.2/30 10.225.252.0 azure-test
Do I need to add anything or change?
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did like showed in this article and VPN works now:
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Could you enable the below settings.
config system settings
set allow-subnet-overlap enable
next
end
Otherwise your FGT configuration looks fine here, but please provide the VPN logs if possible to check further. Also I would request you to validate the Mikrotik configuration as well and make sure they are aligned.
Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
config system gre-tunnel
edit "gre-to-rem"
set interface "gre-tunnel1"
set remote-gw 10.225.252.2
set local-gw 10.225.252.1
I changed remote and local address from Local IP address to the Global IP and Tunnel went up.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I Mean config system gre-tunnel
edit "gre-to-rem"
set interface "gre-tunnel1"
set remote-gw 178.54.*.*
set local-gw 20.8.*.*
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now tunnel is up, I see counter of Incoming data is increasing, but outgoing data is 0.
No sure why, Route is added, policy also granted.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Could you please send me your Final configuration (including the routing configuration) and if possible, please send the traffic debug logs.
Meanwhile you could make below change and test ( Note: Make sure you backup your existing configuration before making the changes)
config system settings
set allow-subnet-overlap enable
next
end
config system interface
delete ""gre-tunnel1"
edit "gre-to-rem"
set type tunnel
set ip 10.225.252.1 255.255.255.255
set remote-ip 10.225.252.2 255.255.255.252
set interface "gre-tunnel1"
next
end
Also make sure your route configuration on Fortigate is correctly configured to forward the traffic to right interface. Final Destination route should point to GRE interface.
Regards,
Created on 07-11-2023 07:00 AM Edited on 07-11-2023 07:01 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
forti-FGT # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.225.255.1, port1, [1/0]
S 10.225.0.0/16 [10/0] via 10.225.254.1, port2, [1/0]
S 10.225.252.0/30 [5/0] via gre-tunnel1 tunnel 178.54.*.*, [1/0]
C 10.225.252.1/32 is directly connected, gre-tunnel1
C 10.225.254.0/24 is directly connected, port2
C 10.225.255.0/24 is directly connected, port1
S 172.16.48.0/24 [10/0] via gre-tunnel1 tunnel 178.54.*.*, [1/0]
There is route table of Fortigate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This is not an official link from Fortinet, buy you may refer to this link if you haven't before.
https://www.linkedin.com/pulse/configuring-ipsec-gre-tunnel-between-fortios-645-routeros-denys/
I could see your settings are not matching to what is there in this document specially your interface configuration and the routing on Fortigate.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you confirm this status is from which side (Fortigate or Mikrotik)? Can you take a capture of the esp packets and compare the SPI value with the SPI value you see under "diagnose vpn tunnel list"
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Mikortiks are notorious with their handling of IPsec.
If you don't see any outgoing traffic, make sure to clear all the connections that will appear on IP-> Firewall-> Connections, that have destination & source of the Public IP of Fortigate.
Then kill the connection from IP->IPsec->Active Peers and see if that fixes your problem.
Regards
==============================
Not all those who wander are lost
==============================
Not all those who wander are lost
==============================
==============================Not all those who wander are
lost==============================
Related Posts
Labels
-
FortiGate
6,716 -
FortiClient
1,337 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
344 -
FortiAP
342 -
FortiClient EMS
273 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
82 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
61 -
FortiProxy
46 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.