I have fortigate installed in Azure and Mikrotik on our On-prem datacenter. I would like to configure IPSec over GRE VPN between them. Phase 1 is establishing without problem, but Phase 2 doesn't go up.
config vpn ipsec phase1-interface edit "gre-tunnel1" set interface "port1" set peertype any set net-device disable set proposal aes256-sha512 set dhgrp 14 set remote-gw 178.54.*.* set psksecret ******
config vpn ipsec phase2-interface edit "gre-tunnel1" set phase1name "gre-tunnel1" set proposal aes256-sha512 set dhgrp 14 set protocol 47 set keylifeseconds 28800
edit "gre-tunnel1" set vdom "root" set ip 10.225.252.1 255.255.255.255 set type tunnel set remote-ip 10.225.252.2 255.255.255.252 set snmp-index 7 set interface "port1"
config system gre-tunnel edit "gre-to-rem" set interface "gre-tunnel1" set remote-gw 10.225.252.2 set local-gw 10.225.252.1
edit 3 set uuid 935c31dc-1ee9-51ee-bfbd-5952d3420438 set srcintf "gre-tunnel1" set dstintf "gre-tunnel1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL"
edit 4 set name "Permit-from-Azure" set uuid 0ed3dc98-1eea-51ee-3e91-26273c7326e3 set srcintf "port2" set dstintf "gre-to-rem" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL"
edit 5 set name "Permit-to-Azure" set uuid 20ee78de-1eea-51ee-7e88-e77467246117 set srcintf "gre-to-rem" set dstintf "port2" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL"
config system settings
set allow-subnet-overlap enable
Otherwise your FGT configuration looks fine here, but please provide the VPN logs if possible to check further. Also I would request you to validate the Mikrotik configuration as well and make sure they are aligned.
forti-FGT # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area V - BGP VPNv4 * - candidate default
Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 10.225.255.1, port1, [1/0] S 10.225.0.0/16 [10/0] via 10.225.254.1, port2, [1/0] S 10.225.252.0/30 [5/0] via gre-tunnel1 tunnel 178.54.*.*, [1/0] C 10.225.252.1/32 is directly connected, gre-tunnel1 C 10.225.254.0/24 is directly connected, port2 C 10.225.255.0/24 is directly connected, port1 S 172.16.48.0/24 [10/0] via gre-tunnel1 tunnel 178.54.*.*, [1/0]
Mikortiks are notorious with their handling of IPsec. If you don't see any outgoing traffic, make sure to clear all the connections that will appear on IP-> Firewall-> Connections, that have destination & source of the Public IP of Fortigate. Then kill the connection from IP->IPsec->Active Peers and see if that fixes your problem.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.