Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
alan_02
New Contributor

Problem config vpn ipsec site to site fortigate site to mikrotik site

Greetings everyone...

 

I am new in fortigate but i have problem i tried using ipsec fortigate to mikrotik side B using ipsec. i was following documentation and tutorial around internet but still no luck...my plan is connecting fortigate to Mikrotik side B using vpn ipsec tunnel.

 

here's my topology

 

101.60.x.x(note: x is i hide the real ip, but the ip is public static)

 

my topology.PNG

 

 

 

my fortigate setting phase 1

 

 

config vpn ipsec phase1-interface
    edit "SS6KDI"
        set interface "wan2"
        set peertype any
        set net-device disable
        set proposal 3des-sha1
        set dpd on-idle
        set nattraversal disable
        set remote-gw 192.168.1.2
        set psksecret ENC W82Ix1eXY+0aYfeqYi10GqEqdYV7t0BKbyusKbuli23dnRR6PRuGbidTP2xgikn7pXc6/xr8wgyN/qEzg1m2b/xQINWSW+6ash/tumJzfgAXZA6DeKXylRg8g1tajR01vTRBFKJkZKky2ZlURPjTHy1B0rpBPBMfBlHvCnCQEFsi+6kkM43rfWIIFBYMDRxSPz8B/A==
    next
end

 

 

 

 

 my fortigate setting phase 2

 

 

FGT_PPA-MLP (SS6KDI) # show
config vpn ipsec phase2-interface
    edit "SS6KDI"
        set phase1name "SS6KDI"
        set proposal 3des-sha1
        set dhgrp 5
        set auto-negotiate enable
        set src-addr-type name
        set dst-addr-type name
        set src-name "SS6KDI_local_subnet_1" (this is 10.30.30.0/29)
        set dst-name "SS6KDI_remote_subnet_1" (this is 192.168.100.0/24)
    next
end

 

 

 

 

my firewall policy for vpn ss6kdi

 

 

    edit 9
        set name "SS6KDIlocal"
        set uuid 7f43d5dc-f45b-51ed-c70d-953765cd3998
        set srcintf "SS6KDI"
        set dstintf "LAN INTERNAL"
        set action accept
        set srcaddr "SS6KDI_remote_subnet_1" 192.168.100.0/24
        set dstaddr "SS6KDI_local_subnet_1" 10.30.30.0/29
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next 
    edit 11
        set name "SS6KDI_remote"
        set uuid 8316eeba-f45b-51ed-cfb2-9f418095d2a8
        set srcintf "AIM DMZ"
        set dstintf "SS6KDI"
        set action accept
        set srcaddr "SS6KDI_local_subnet_1" 10.30.30.0/29
        set dstaddr "SS6KDI_remote_subnet_1" 192.168.100.0/24
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments " (Copy of SS6KDIlocal) (Reverse of SS6KDIlocal)"
    next 
end      

 

 

 

 

here my static route

 

 

set device "SS6KDI"
set dstaddr "SS6KDI_remote_subnet_1" 192.168.100.0/24
next

 

 

 

 

 

 

for now in mikrotik sideB here's the setting:

 

 

/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 enc-algorithm=3des nat-traversal=no
add dh-group=modp1536 enc-algorithm=3des name=profileSS6KDI nat-traversal=no
/ip ipsec peer
add address=101.60.x.x/32 name="peers KDI" profile=profileSS6KDI
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=modp1536
add enc-algorithms=3des name=proposalSS6KDI pfs-group=modp1536
/ip ipsec identity
add peer="peers KDI" secret=xxx
/ip ipsec policy
add dst-address=10.30.30.0/29 peer="peers KDI" proposal=proposalSS6KDI sa-dst-address=101.60.x.x sa-src-address=0.0.0.0 src-address=192.168.100.0/24 tunnel=yes

 

 

 

 

 

 

 

 

 

here for result debug from the fortigate

 

 

FGT_PPA-MLP # # diagnose vpn ike log-filter dst-addr4 192.168.1.2

FGT_PPA-MLP # diagnose debug application ike -1
Debug messages will be on for 30 minutes.

FGT_PPA-MLP # diagnose debug enable

FGT_PPA-MLP # ike 0:SS6KDI:24089: negotiation timeout, deleting
ike 0:SS6KDI: connection expiring due to phase1 down
ike 0:SS6KDI: deleting
ike 0:SS6KDI: deleted
ike 0:SS6KDI: schedule auto-negotiate
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: created connection: 0x882e880 6 101.60.x.x->192.168.1.2:500.
ike 0:SS6KDI: HA start as master
ike 0:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:500 negotiating
ike 0:SS6KDI: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:SS6KDI:24094: initiator: main mode is sending 1st message...
ike 0:SS6KDI:24094: cookie a431aa6e30adbdee/0000000000000000
ike 0:SS6KDI:24094: out A431AA6E30ADBDEE00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24094: sent IKE msg (ident_i1send): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=a431aa6e30adbdee/0000000000000000
ike shrank heap by 159744 bytes
ike 0:SS6KDI:24094: out A431AA6E30ADBDEE00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24094: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=a431aa6e30adbdee/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24094: out A431AA6E30ADBDEE00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24094: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=a431aa6e30adbdee/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24094: out A431AA6E30ADBDEE00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24094: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=a431aa6e30adbdee/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24094: negotiation timeout, deleting
ike 0:SS6KDI: connection expiring due to phase1 down
ike 0:SS6KDI: deleting
ike 0:SS6KDI: deleted
ike 0:SS6KDI: schedule auto-negotiate
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: created connection: 0x882e880 6 101.60.x.x->192.168.1.2:500.
ike 0:SS6KDI: HA start as master
ike 0:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:500 negotiating
ike 0:SS6KDI: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:SS6KDI:24100: initiator: main mode is sending 1st message...
ike 0:SS6KDI:24100: cookie dd3c684e49c7fb0f/0000000000000000
ike 0:SS6KDI:24100: out DD3C684E49C7FB0F00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24100: sent IKE msg (ident_i1send): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=dd3c684e49c7fb0f/0000000000000000
ike 0:SS6KDI:24100: out DD3C684E49C7FB0F00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24100: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=dd3c684e49c7fb0f/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24100: out DD3C684E49C7FB0F00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24100: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=dd3c684e49c7fb0f/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24100: out DD3C684E49C7FB0F00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24100: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=dd3c684e49c7fb0f/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24100: negotiation timeout, deleting
ike 0:SS6KDI: connection expiring due to phase1 down
ike 0:SS6KDI: deleting
ike 0:SS6KDI: deleted
ike 0:SS6KDI: schedule auto-negotiate
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: created connection: 0x882e880 6 101.60.x.x->192.168.1.2:500.
ike 0:SS6KDI: HA start as master
ike 0:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:500 negotiating
ike 0:SS6KDI: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:SS6KDI:24107: initiator: main mode is sending 1st message...
ike 0:SS6KDI:24107: cookie 16f09453070aa0e4/0000000000000000
ike 0:SS6KDI:24107: out 16F09453070AA0E400000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24107: sent IKE msg (ident_i1send): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=16f09453070aa0e4/0000000000000000
ike 0:SS6KDI:24107: out 16F09453070AA0E400000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24107: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=16f09453070aa0e4/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24107: out 16F09453070AA0E400000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24107: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=16f09453070aa0e4/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24107: out 16F09453070AA0E400000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24107: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=16f09453070aa0e4/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24107: negotiation timeout, deleting
ike 0:SS6KDI: connection expiring due to phase1 down
ike 0:SS6KDI: deleting
ike 0:SS6KDI: deleted
ike 0:SS6KDI: schedule auto-negotiate
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: created connection: 0x882e880 6 101.60.x.x->192.168.1.2:500.
ike 0:SS6KDI: HA start as master
ike 0:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:500 negotiating
ike 0:SS6KDI: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:SS6KDI:24115: initiator: main mode is sending 1st message...
ike 0:SS6KDI:24115: cookie d09d92449a6a8c17/0000000000000000
ike 0:SS6KDI:24115: out D09D92449A6A8C1700000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24115: sent IKE msg (ident_i1send): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=d09d92449a6a8c17/0000000000000000
ike 0:SS6KDI:24115: out 


101.60.x.x(note: x is i hide the real ip, but his ip is public static)

 

 

 

 

 

error log from mikrotik site B

 

 

phase1 negotiation failed due to time up 192.168.1.2[500]<=>101.60.x.x[500] 313ffbc15d85dda8:0000000000000000

 

 

 

 

101.60.x.x Fortigate gw(note: x is i hide the real ip here sorry, but the ip is public static)

 

 

i don't have idea what's fault in my config, your help is really appreciate... thank you

4 REPLIES 4
saneeshpv_FTNT

As per the debug logs, there is no message received on Fortigate from the mikrotik side. What is the Public IP address on mikrotik side?  I could you are using a Private IP in the mikrotik side.

alan_02

yes i using private ip in mikrotik side B. i must using public address to from mikrotik side B?

saneeshpv_FTNT

if you are using private IP address, how you could route the traffic over the internet to mikrotik site?

 

its not possible, so yes you need a Public IP address on the mikrotik device, if there is no other device in front of your mikrotik device providing Internet connection. 

alan_02

to be honest,i don't know what's my mikrotik public address.. 

 

what if i did dial up ipsec in fortigate side?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors