L2TP/IPSec between FortiGate and Mikrotik

lmedoshvili · ‎01-19-2024

Hi

I have issue with connectivity between FortiGate and Mikrotik over L2TP/IPSec.

Is there anyway to establish two-way communication between FortiGate and Mikrotik over L2TP?

I have this scenario as shown in picture.

from 10.38.10.10 I can ping 10.255.254.10 and 10.255.254.11 but I can not reach 10.40.10.10

from 10.40.10.10 I can ping 10.38.10.10

On Mikrotik NAT is enabled. (without NAT I can't ping network beyond FortGate)

AlexC-FTNT · ‎01-19-2024

If you have one-way communication, the problem is not necessarily related to L2TP, but to routing.

Check first the routing table on Fortigate:

get router info routing-table detail 10.40.10.10

---> it should point to the L2TP tunnel.
Then, check in a debug flow if the traffic is actually sent to that tunnel.

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

lmedoshvili · ‎01-19-2024

There is static route record.

S       10.40.10.0/24 [10/0] is directly connected, l2t.root, [1/0]
S       10.255.0.0/16 [10/0] is directly connected, l2t.root, [1/0]

hbac · ‎01-19-2024

Hi @lmedoshvili,

Please run the following debug flow commands and try to ping 10.40.10.10 again.

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 10.40.10.10
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

Regards,

lmedoshvili · ‎01-19-2024

This is the output after debug was enabled

2024-01-19 18:07:45 id=65308 trace_id=1 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=1, 10.38.10.1:122->10.40.10.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=122, seq=0."
2024-01-19 18:07:45 id=65308 trace_id=1 func=init_ip_session_common line=6020 msg="allocate a new session-00104a8a"
2024-01-19 18:07:45 id=65308 trace_id=1 func=iprope_dnat_check line=5466 msg="in-[], out-[l2t.root]"
2024-01-19 18:07:45 id=65308 trace_id=1 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-01-19 18:07:45 id=65308 trace_id=1 func=iprope_dnat_check line=5487 msg="result: skb_flags-00000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-01-19 18:07:45 id=65308 trace_id=1 func=__iprope_check line=2388 msg="gnum-100004, check-ffffffbffc0431f0"
2024-01-19 18:07:45 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-1, ret-no-match, act-drop"
2024-01-19 18:07:45 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-7, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-2, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-2, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-3, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2363 msg="gnum-100004 policy-4 is not active"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-8, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-9, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-13, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-11, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-12, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-14, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-14, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-15, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-17, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-18, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-24, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-21, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-23, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-0, ret-no-match, act-drop"
2024-01-19 18:07:46 id=65308 trace_id=1 func=__iprope_check line=2405 msg="gnum-100004 check result: ret-no-match, act-drop, flag-00000000, flag2-00000000"
2024-01-19 18:07:46 id=65308 trace_id=1 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
2024-01-19 18:07:47 id=65308 trace_id=2 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=1, 10.38.10.1:122->10.40.10.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=122, seq=1."
2024-01-19 18:07:47 id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-00104a8a, original direction"
2024-01-19 18:07:48 id=65308 trace_id=3 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=1, 10.38.10.1:122->10.40.10.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=122, seq=2."
2024-01-19 18:07:48 id=65308 trace_id=3 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-00104a8a, original direction"
2024-01-19 18:07:49 id=65308 trace_id=4 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=1, 10.38.10.1:122->10.40.10.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=122, seq=3."
2024-01-19 18:07:49 id=65308 trace_id=4 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-00104a8a, original direction"
2024-01-19 18:07:50 id=65308 trace_id=5 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=1, 10.38.10.1:122->10.40.10.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=122, seq=4."
2024-01-19 18:07:50 id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-00104a8a, original direction"

nfored · ‎01-19-2024

I have this exact setup IPsec between a Mikrotik CHR and two different forti. Given that you can make it all the way across the tunnel on both directions the tunnel is good shape. Given the side under the Mikrotik can ping the side under the FG but not the other way around, I would confirm firewall acl on the Mikrotik side. MT ipsec has no routing for the ipsec so there is no need on that device to have a route for anything on the otherside.

on a MT if your proposal is say 172.16.0.0/16 and 10.2.0.0/16 "Local/Remote" then you need no route for 10.2.0.0/16 on the MT side it will see that destination and know it needs to shove it down the tunnel.