- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSec Between Fortigate and Mikrotik
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec Between Fortigate and Mikrotik
Hello,
I have fortigate installed in Azure and Mikrotik on our On-prem datacenter. I would like to configure IPSec over GRE VPN between them. Phase 1 is establishing without problem, but Phase 2 doesn't go up.
I use this article:
https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/799752/gre-over-ipsec
Here is Azure fortigate configuration:
config vpn ipsec phase1-interface
edit "gre-tunnel1"
set interface "port1"
set peertype any
set net-device disable
set proposal aes256-sha512
set dhgrp 14
set remote-gw 178.54.*.*
set psksecret ******
config vpn ipsec phase2-interface
edit "gre-tunnel1"
set phase1name "gre-tunnel1"
set proposal aes256-sha512
set dhgrp 14
set protocol 47
set keylifeseconds 28800
edit "gre-tunnel1"
set vdom "root"
set ip 10.225.252.1 255.255.255.255
set type tunnel
set remote-ip 10.225.252.2 255.255.255.252
set snmp-index 7
set interface "port1"
config system gre-tunnel
edit "gre-to-rem"
set interface "gre-tunnel1"
set remote-gw 10.225.252.2
set local-gw 10.225.252.1
edit 3
set uuid 935c31dc-1ee9-51ee-bfbd-5952d3420438
set srcintf "gre-tunnel1"
set dstintf "gre-tunnel1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
edit 4
set name "Permit-from-Azure"
set uuid 0ed3dc98-1eea-51ee-3e91-26273c7326e3
set srcintf "port2"
set dstintf "gre-to-rem"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
edit 5
set name "Permit-to-Azure"
set uuid 20ee78de-1eea-51ee-7e88-e77467246117
set srcintf "gre-to-rem"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
Here is mikrotik side:
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=8h name=azure-test-profile
/ip ipsec peer
add address=20.8.*.*/32 local-address=178.54.*.* name=azure-test-peer profile=azure-test-profile
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc lifetime=8h name=azure-test-proporsal pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-strict peer=azure-test-peer secret=kN#n2biOQi7P93xC6MmPaO%P4O
/ip ipsec policy
add dst-address=20.8.*.*/32 peer=azure-test-peer proposal=azure-test-proporsal protocol=gre src-address=178.54.*.*/32
/interface gre
name="azure-test" mtu=auto actual-mtu=1476 local-address=178.54.*.* remote-address=20.8.*.* dscp=inherit clamp-tcp-mss=yes dont-fragment=no allow-fast-path=no
/ip address
10.225.252.2/30 10.225.252.0 azure-test
Do I need to add anything or change?
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did like showed in this article and VPN works now:
- « Previous
-
- 1
- 2
- Next »
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I can't even Ping IP address of tunnels. Not sure why...
On fortigate side I must to set IP address with 32 mask, but how I should set to mikrotik side?
I mean this one:
set type tunnel
set ip 10.225.252.1 255.255.255.255
set remote-ip 10.225.252.2 255.255.255.252
Created on 07-11-2023 05:00 AM Edited on 07-11-2023 05:02 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Have configured NAT from Mikrotik side??? Also I can imagine that from Fortigate side there are policies that allows traffic from IPsec tunnel through the desired networks.
EDIT: Sorry just saw on the original post that there are indeed policies that allows traffic.
==============================
Not all those who wander are lost
==============================
Not all those who wander are lost
==============================
==============================Not all those who wander are
lost==============================
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to do NoNAT Policy on mikrotikm but the same
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The NAT policy is mandatory. Sorry if I misguided you with this information above.
Have you tried the steps that I mentioned on my above post, to clear the connections from mikrotik???
I had many cases with IPsec tunnels established and no packets go through it and always been solved with the clearance of mikrotik's connections
==============================
Not all those who wander are lost
==============================
Not all those who wander are lost
==============================
==============================Not all those who wander are
lost==============================
Created on 07-11-2023 06:54 AM Edited on 07-11-2023 06:58 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to kill sessions, but the same...
What kind of NAT rule do I need to add on Mikrotik?
chain=srcnat action=accept src-address=172.16.48.0/24 dst-address=10.225.2.0/24
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to do reconfiguration as showed in this article:
Now Tunnel is up, also I see Inbound\outbound traffic counters are increasing, but there are no any network access between this 2 devices....
I don't know what I can do now...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
When you say there is no network access between devices (your tunnel is up), it is bit confusing. Could you please clarify between which device you are having network access problem ? Please provide the logs for better understanding and analysis.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
If you're experiencing IPSec VPN connectivity issues between a FortiGate firewall and a MikroTik router, you can follow below steps for initial troubleshooting
Check the VPN configuration on both the FortiGate and the MikroTik devices. Check that the authentication mechanisms, encryption algorithms, and pre-shared keys (PSKs) are the same on both ends.
Check that the firewall policies on both devices allow the IPSec VPN traffic. Check that the policies allow traffic from the VPN tunnel's source and destination IP addresses and ports.
ensure there are no connectivity issues between fortigate and microtik device.
Enable NAT traversal (NAT-T) on both ends if the FortiGate or MikroTik device is behind a NAT (Network Address Translation) device. NAT-T encapsulates VPN traffic within UDP packets, allowing it to transit over NAT devices.
Check the settings for the Phase 1 and Phase 2 proposals on both devices. Check that the encryption, authentication, and hashing algorithms on both ends are compatible and configured correctly.
To gather relevant VPN logs, enable debug logging on both the FortiGate and MikroTik devices. Examine the logs for any error messages or signs of connectivity or negotiation difficulties. This information can assist in determining the root cause of the problem.
You can refer below document as well for the deugging
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955
BR
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did like showed in this article and VPN works now:
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Transparent VLAN between Fortigate port and... 1 View
- Site to Site IP Sec with... 33 Views
- What do Fortigate interface roles (eg... 83 Views
- LDAPS (can't contact LDAP server) 127 Views
- Adding FortiGate to FortiManager in EVE-NG 128 Views
Labels
-
FortiGate
7,163 -
FortiClient
1,414 -
5.2
801 -
5.4
639 -
FortiManager
620 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
374 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
108 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1063 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.