Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
alan_02
New Contributor

Created on ‎05-16-2023 08:37 PM Edited on ‎05-16-2023 10:05 PM

Problem config vpn ipsec site to site fortigate site to mikrotik site

Greetings everyone...

 

I am new in fortigate but i have problem i tried using ipsec fortigate to mikrotik side B using ipsec. i was following documentation and tutorial around internet but still no luck...my plan is connecting fortigate to Mikrotik side B using vpn ipsec tunnel.

 

here's my topology

 

101.60.x.x(note: x is i hide the real ip, but the ip is public static)

 

my topology.PNG

 

 

 

my fortigate setting phase 1

 

 

config vpn ipsec phase1-interface
    edit "SS6KDI"
        set interface "wan2"
        set peertype any
        set net-device disable
        set proposal 3des-sha1
        set dpd on-idle
        set nattraversal disable
        set remote-gw 192.168.1.2
        set psksecret ENC W82Ix1eXY+0aYfeqYi10GqEqdYV7t0BKbyusKbuli23dnRR6PRuGbidTP2xgikn7pXc6/xr8wgyN/qEzg1m2b/xQINWSW+6ash/tumJzfgAXZA6DeKXylRg8g1tajR01vTRBFKJkZKky2ZlURPjTHy1B0rpBPBMfBlHvCnCQEFsi+6kkM43rfWIIFBYMDRxSPz8B/A==
    next
end

 

 

 

 

 my fortigate setting phase 2

 

 

FGT_PPA-MLP (SS6KDI) # show
config vpn ipsec phase2-interface
    edit "SS6KDI"
        set phase1name "SS6KDI"
        set proposal 3des-sha1
        set dhgrp 5
        set auto-negotiate enable
        set src-addr-type name
        set dst-addr-type name
        set src-name "SS6KDI_local_subnet_1" (this is 10.30.30.0/29)
        set dst-name "SS6KDI_remote_subnet_1" (this is 192.168.100.0/24)
    next
end

 

 

 

 

my firewall policy for vpn ss6kdi

 

 

    edit 9
        set name "SS6KDIlocal"
        set uuid 7f43d5dc-f45b-51ed-c70d-953765cd3998
        set srcintf "SS6KDI"
        set dstintf "LAN INTERNAL"
        set action accept
        set srcaddr "SS6KDI_remote_subnet_1" 192.168.100.0/24
        set dstaddr "SS6KDI_local_subnet_1" 10.30.30.0/29
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next 
    edit 11
        set name "SS6KDI_remote"
        set uuid 8316eeba-f45b-51ed-cfb2-9f418095d2a8
        set srcintf "AIM DMZ"
        set dstintf "SS6KDI"
        set action accept
        set srcaddr "SS6KDI_local_subnet_1" 10.30.30.0/29
        set dstaddr "SS6KDI_remote_subnet_1" 192.168.100.0/24
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments " (Copy of SS6KDIlocal) (Reverse of SS6KDIlocal)"
    next 
end

 

 

 

 

here my static route

 

 

set device "SS6KDI"
set dstaddr "SS6KDI_remote_subnet_1" 192.168.100.0/24
next

 

 

 

 

 

 

for now in mikrotik sideB here's the setting:

 

 

/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 enc-algorithm=3des nat-traversal=no
add dh-group=modp1536 enc-algorithm=3des name=profileSS6KDI nat-traversal=no
/ip ipsec peer
add address=101.60.x.x/32 name="peers KDI" profile=profileSS6KDI
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=modp1536
add enc-algorithms=3des name=proposalSS6KDI pfs-group=modp1536
/ip ipsec identity
add peer="peers KDI" secret=xxx
/ip ipsec policy
add dst-address=10.30.30.0/29 peer="peers KDI" proposal=proposalSS6KDI sa-dst-address=101.60.x.x sa-src-address=0.0.0.0 src-address=192.168.100.0/24 tunnel=yes

 

 

 

 

 

 

 

 

 

here for result debug from the fortigate

 

 

FGT_PPA-MLP # # diagnose vpn ike log-filter dst-addr4 192.168.1.2

FGT_PPA-MLP # diagnose debug application ike -1
Debug messages will be on for 30 minutes.

FGT_PPA-MLP # diagnose debug enable

FGT_PPA-MLP # ike 0:SS6KDI:24089: negotiation timeout, deleting
ike 0:SS6KDI: connection expiring due to phase1 down
ike 0:SS6KDI: deleting
ike 0:SS6KDI: deleted
ike 0:SS6KDI: schedule auto-negotiate
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: created connection: 0x882e880 6 101.60.x.x->192.168.1.2:500.
ike 0:SS6KDI: HA start as master
ike 0:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:500 negotiating
ike 0:SS6KDI: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:SS6KDI:24094: initiator: main mode is sending 1st message...
ike 0:SS6KDI:24094: cookie a431aa6e30adbdee/0000000000000000
ike 0:SS6KDI:24094: out A431AA6E30ADBDEE00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24094: sent IKE msg (ident_i1send): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=a431aa6e30adbdee/0000000000000000
ike shrank heap by 159744 bytes
ike 0:SS6KDI:24094: out A431AA6E30ADBDEE00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24094: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=a431aa6e30adbdee/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24094: out A431AA6E30ADBDEE00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24094: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=a431aa6e30adbdee/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24094: out A431AA6E30ADBDEE00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24094: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=a431aa6e30adbdee/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24094: negotiation timeout, deleting
ike 0:SS6KDI: connection expiring due to phase1 down
ike 0:SS6KDI: deleting
ike 0:SS6KDI: deleted
ike 0:SS6KDI: schedule auto-negotiate
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: created connection: 0x882e880 6 101.60.x.x->192.168.1.2:500.
ike 0:SS6KDI: HA start as master
ike 0:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:500 negotiating
ike 0:SS6KDI: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:SS6KDI:24100: initiator: main mode is sending 1st message...
ike 0:SS6KDI:24100: cookie dd3c684e49c7fb0f/0000000000000000
ike 0:SS6KDI:24100: out DD3C684E49C7FB0F00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24100: sent IKE msg (ident_i1send): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=dd3c684e49c7fb0f/0000000000000000
ike 0:SS6KDI:24100: out DD3C684E49C7FB0F00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24100: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=dd3c684e49c7fb0f/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24100: out DD3C684E49C7FB0F00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24100: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=dd3c684e49c7fb0f/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24100: out DD3C684E49C7FB0F00000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24100: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=dd3c684e49c7fb0f/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24100: negotiation timeout, deleting
ike 0:SS6KDI: connection expiring due to phase1 down
ike 0:SS6KDI: deleting
ike 0:SS6KDI: deleted
ike 0:SS6KDI: schedule auto-negotiate
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: created connection: 0x882e880 6 101.60.x.x->192.168.1.2:500.
ike 0:SS6KDI: HA start as master
ike 0:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:500 negotiating
ike 0:SS6KDI: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:SS6KDI:24107: initiator: main mode is sending 1st message...
ike 0:SS6KDI:24107: cookie 16f09453070aa0e4/0000000000000000
ike 0:SS6KDI:24107: out 16F09453070AA0E400000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24107: sent IKE msg (ident_i1send): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=16f09453070aa0e4/0000000000000000
ike 0:SS6KDI:24107: out 16F09453070AA0E400000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24107: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=16f09453070aa0e4/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24107: out 16F09453070AA0E400000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24107: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=16f09453070aa0e4/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24107: out 16F09453070AA0E400000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24107: sent IKE msg (P1_RETRANSMIT): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=16f09453070aa0e4/000000000000000
0
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: using existing connection
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: request is on the queue
ike 0:SS6KDI:24107: negotiation timeout, deleting
ike 0:SS6KDI: connection expiring due to phase1 down
ike 0:SS6KDI: deleting
ike 0:SS6KDI: deleted
ike 0:SS6KDI: schedule auto-negotiate
ike 0:SS6KDI:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:0
ike 0:SS6KDI:SS6KDI: config found
ike 0:SS6KDI: created connection: 0x882e880 6 101.60.x.x->192.168.1.2:500.
ike 0:SS6KDI: HA start as master
ike 0:SS6KDI: IPsec SA connect 6 101.60.x.x->192.168.1.2:500 negotiating
ike 0:SS6KDI: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:SS6KDI:24115: initiator: main mode is sending 1st message...
ike 0:SS6KDI:24115: cookie d09d92449a6a8c17/0000000000000000
ike 0:SS6KDI:24115: out D09D92449A6A8C1700000000000000000110020000000000000000CC0D00005C000000010000000100000050010100020300002401010000
800B0001000C0004000151808001000580030001800200028004000E0000002402010000800B0001000C000400015180800100058003000180020002800400050D000014
AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000000000001482990317
57A36082C6A621DE00000000
ike 0:SS6KDI:24115: sent IKE msg (ident_i1send): 101.60.x.x:500->192.168.1.2:500, len=204, vrf=0, id=d09d92449a6a8c17/0000000000000000
ike 0:SS6KDI:24115: out 


101.60.x.x(note: x is i hide the real ip, but his ip is public static)

 

 

 

 

 

error log from mikrotik site B

 

 

phase1 negotiation failed due to time up 192.168.1.2[500]<=>101.60.x.x[500] 313ffbc15d85dda8:0000000000000000

 

 

 

 

101.60.x.x Fortigate gw(note: x is i hide the real ip here sorry, but the ip is public static)

 

 

i don't have idea what's fault in my config, your help is really appreciate... thank you

Labels:
2331
0 Kudos
4 REPLIES 4
saneeshpv_FTNT
Staff
Staff

Created on ‎05-17-2023 06:42 AM

As per the debug logs, there is no message received on Fortigate from the mikrotik side. What is the Public IP address on mikrotik side?  I could you are using a Private IP in the mikrotik side.

2292
0 Kudos
alan_02
New Contributor
In response to saneeshpv_FTNT

Created on ‎05-17-2023 06:56 AM

yes i using private ip in mikrotik side B. i must using public address to from mikrotik side B?

2285
0 Kudos
saneeshpv_FTNT
Staff
Staff

Created on ‎05-17-2023 07:00 AM

if you are using private IP address, how you could route the traffic over the internet to mikrotik site?

 

its not possible, so yes you need a Public IP address on the mikrotik device, if there is no other device in front of your mikrotik device providing Internet connection. 

2283
0 Kudos
alan_02
New Contributor
In response to saneeshpv_FTNT

Created on ‎05-17-2023 07:49 AM Edited on ‎05-17-2023 08:12 AM

to be honest,i don't know what's my mikrotik public address.. 

 

what if i did dial up ipsec in fortigate side?

2282
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.