Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mcdaniels
New Contributor

IPSEC Dial UP VPN behind a Router (Mikrotik)

Hi folks,

I have a little (big?) problem trying to configure a Mikrotikrouterboard to connect to a FGT100D.

 

The Mikrotik is sitting behind a router which points to the internet.The Router gives a LAN-address to the Mikrotik WAN-Port.

192.168.0.101/24.

 

The Mikrotik itself, gives connected Clients the IP-Range 192.168.88.0/24.

 

 

The official IP for connections to the internet is 77.110.xxx.yyy (static).

 

I am trying to connect to a LAN behind the Fortigate (10.0.0.0/24)

 

If I set up a IPSEC Dialup VPN the phase 1 is working properly, but I am struggeling with phase2 which never comes up.

 

My question is: As it is a dialup-connection initiated from the Mikrotik, which IP-Adresses do I have to use in the VPN Settings for local and remote Network?

 

What is the SA Src. Address / SA Dst. Address. In my opinion this should be the official IPs of both ends?

 

thx!

 

 

10 REPLIES 10
Toshi_Esumi
Esteemed Contributor III

This is a little old (5.0) and FG-to-FG, but the essential part should be the same especially on the server side. On the client side you need to translate the FG60D config to your device's config.

https://video.fortinet.com/video/102/site-to-site-ipsec-vpn-behind-firewall-nat-device

 

mcdaniels

Hi thanks!

Just tried it that way but Phase2 is not coming up. Settings  @Fortigate are ok. P1 is initiated in aggressive Mode and User ID. But as said Phase2 is not initiated. I do not see any attempts for the P2 in the VPN-Debug-Logs of the Fortigate.

Toshi_Esumi
Esteemed Contributor III

Are you actually sending packets from the source subnet to the destination you configured in the phase2 on the remote router? Phase2 attempt in dial-up situation is completely up to the remote end. If you don't see any attempts on the FG side, the remote route is not attempting.

mcdaniels

Hi,

If I ping an IP from the dial-up site to the remote side, I can see that the mikrotik is setting up a SA, which says src address (my official ip at dial-up site) and the dst address of the remote site (Fortigate official IP.)

 

But no Phase2.

 

Networkscheme of configuration is attached. Is this supposed to work?

 

Toshi_Esumi
Esteemed Contributor III

Looks like a typical NAT traversal situation. No reason not to work to me.

There seems to be be a Mikrotik forum. I would try asking there.

francescore

Good evening all, I've finally managed to have this scenario working: RouterOS (6.40.4) behind a NAT is now able to open IPSec SA to a FG80C (5.6), the traffic is routed. If you're still interested contact me and I'll be happy to show the way I did. The main source of mistake was that the FG wants everything (Phase1, Phase2 and Firewall Policies) all correctly configured before any test can take place. In contrast RouterOS bring you into thinking to "build&test" step-by-step, Phase1 then Phase2 then Policies. Complete the configuration before beggining with tests.

Find below the CLI configuration for both devices.

 

FortiOS configuration FG80C # show vpn ipsec phase1-interface     edit "Dial-UP-IPSec"         set type dynamic         set interface "wan1"         set ike-version 2         set peertype one         set proposal 3des-sha1         set dpd disable         set dhgrp 2         set peerid "User01"         set psksecret Mescal&Ladroni     next end FG80C # show vpn ipsec phase2-interface     edit "Dial-UP-IPSec-Phase2"         set phase1name "Dial-UP-IPSec"         set proposal 3des-md5         set pfs disable         set replay disable         set keylifeseconds 3600         set src-subnet 172.24.1.0 255.255.255.0 --> Local Subnet on FortiOS side         set dst-subnet 10.5.1.0 255.255.255.0 --> Local Subnet on RouterOS side     next end FG80C # config firewall policy (in my case I want only RouterOS side to contact the FG80C side. Hence I have configured only one policy for this dierction) FG80C (policy) # show     edit 45         set srcintf "Dial-UP-IPSec"         set dstintf "wan1"         set srcaddr "10.5.1.0/24" --> Local Subnet on RouterOS side         set dstaddr "172.24.1.0/24" --> Local Subnet on FortiOS side         set action accept         set schedule "always"         set service "ALL"     next

 

!!! IMPORTANT NOTE ON STATIC-ROUTING !!!

In this Dial-Up scenario there's no need (and possibility) to configure explicit static-routing. Once the Dial-Up VPN is up and running the FG automatically installs a static-route 10.5.1.0/24 via Dial-Up-IPSec interface. When the Dial-Up tunnel is down the route disappears. Remember to postpone an higher distance blackhole route to 10.5.1.0/24 to avoid routing loops when the dial-up tunnel is down.

RouterOS configuration ====================== [admin@MikroTik] /ip ipsec> export verbose

 

/ip address add address=10.5.1.254/24 interface=bridge1 network=10.5.1.0 --> Local Subnet on FortiOS side add address=10.3.1.13/24 interface=ether1 network=10.3.1.0 --> Subnet providing RouterOS Internet access (behind the NAT)

/ip ipsec proposal add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=1h name=fase2 /ip ipsec peer add address=<FG80C public IP>/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m enc-algorithm=3des exchange-mode=ike2 generate-policy=no hash-algorithm=sha1 lifetime=1d my-id=key-id:User01 policy-template-group=default secret=Mescal&Ladroni send-initial-contact=yes /ip ipsec policy add action=encrypt disabled=no dst-address=172.24.1.0/24 dst-port=any ipsec-protocols=esp level=require proposal=fase2 protocol=all sa-dst-address=109.233.220.175 sa-src-address=0.0.0.0 src-address=10.5.1.0/24 src-port=any tunnel=yes

 

Coberas

francescore wrote:
Good evening all, I've finally managed to have this scenario working: RouterOS (6.40.4) behind a NAT is now able to open IPSec SA to a FG80C (5.6), the traffic is routed. If you're still interested contact me and I'll be happy to show the way I did. The main source of mistake was that the FG wants everything (Phase1, Phase2 and Firewall Policies) all correctly configured before any test can take place. In contrast RouterOS bring you into thinking to "build&test" step-by-step, Phase1 then Phase2 then Policies. Complete the configuration before beggining with tests. Find below the CLI configuration for both devices.   FortiOS configuration FG80C # show vpn ipsec phase1-interface    edit "Dial-UP-IPSec"        set type dynamic        set interface "wan1"        set ike-version 2        set peertype one        set proposal 3des-sha1        set dpd disable        set dhgrp 2        set peerid "User01"        set psksecret Mescal&Ladroni    next end FG80C # show vpn ipsec phase2-interface    edit "Dial-UP-IPSec-Phase2"        set phase1name "Dial-UP-IPSec"        set proposal 3des-md5        set pfs disable        set replay disable        set keylifeseconds 3600        set src-subnet 172.24.1.0 255.255.255.0 --> Local Subnet on FortiOS side        set dst-subnet 10.5.1.0 255.255.255.0 --> Local Subnet on RouterOS side    next end FG80C # config firewall policy (in my case I want only RouterOS side to contact the FG80C side. Hence I have configured only one policy for this dierction) FG80C (policy) # show    edit 45        set srcintf "Dial-UP-IPSec"        set dstintf "wan1"        set srcaddr "10.5.1.0/24" --> Local Subnet on RouterOS side        set dstaddr "172.24.1.0/24" --> Local Subnet on FortiOS side        set action accept        set schedule "always"        set service "ALL"    next   !!! IMPORTANT NOTE ON STATIC-ROUTING !!! In this Dial-Up scenario there's no need (and possibility) to configure explicit static-routing. Once the Dial-Up VPN is up and running the FG automatically installs a static-route 10.5.1.0/24 via Dial-Up-IPSec interface. When the Dial-Up tunnel is down the route disappears. Remember to postpone an higher distance blackhole route to 10.5.1.0/24 to avoid routing loops when the dial-up tunnel is down. RouterOS configuration ====================== [admin@MikroTik] /ip ipsec> export verbose   /ip address add address=10.5.1.254/24 interface=bridge1 network=10.5.1.0 --> Local Subnet on FortiOS side add address=10.3.1.13/24 interface=ether1 network=10.3.1.0 --> Subnet providing RouterOS Internet access (behind the NAT) /ip ipsec proposal add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=1h name=fase2 /ip ipsec peer add address=<FG80C public IP>/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m enc-algorithm=3des exchange-mode=ike2 generate-policy=no hash-algorithm=sha1 lifetime=1d my-id=key-id:User01 policy-template-group=default secret=Mescal&Ladroni send-initial-contact=yes /ip ipsec policy add action=encrypt disabled=no dst-address=172.24.1.0/24 dst-port=any ipsec-protocols=esp level=require proposal=fase2 protocol=all sa-dst-address=109.233.220.175 sa-src-address=0.0.0.0 src-address=10.5.1.0/24 src-port=any tunnel=yes  
Hi I implement your solution and connection is established but routing I think is not working. I can't ping devices in lan networks for each directions. I've created also blackhole for drop session when vpn will down with prio 50. Normal when vpn is up in routing monitor i see dynamic route with prio 15. Could you help?

 

Fortigate have static public IP setup at his WAN interface

Mikrotik have public dynamic IP

 

The connection is established and I see VPN as UP from Fortigate side and status established from Mikrotik side.

But subnet from Mikrotik can't ping subnet from Fortigate so probably routing problem.

That happened from both directions.

 

francescore

Good evening Coberas, I've double-checked what I wrote and I've realized that I had forgotten [&o] an important section on RouterOS configuration.

 

/ip firewall nat add action=accept chain=srcnat dst-address=172.24.1.0/24 out-interface=ether1 src-address=10.5.1.0/24 --> exclude tunnel traffic from source-nat add action=masquerade chain=srcnat out-interface=ether1 src-address=10.5.1.0/24 --> source-nat all other traffic

 

This configuration is mandatory on RouterOS in order to exclude the tunnel traffic (from 10.5.1.0/25 to 172.24.1.0/24) from the "default" masquerade that follows.

Remember that source-nat (/ip firewall nat) happens before IPSec encryption (/ip ipsec policy): if you don't configure the NAT as described then all the traffic sourced from 10.5.1.0/24 is source-natted (masquerade with ether1 ip address) and then becomes "invisible" to  the encryption policy (/ip ipsec policy) that actually ignores it.

 

Try and let us know if this tip fixes your issue.

 

 

Dial-UP vs DDNS IPSec

In your scenario RouterOS faces the Internet and it's assigned a dynamic public IP address.

In this case I suggest you to deploy your IPSec in DDNS mode and to abandon Dial-UP mode that is more suitable when RouterOS is behind another router that NAT its traffic.

DDNS (like default "static" mode) allow you to work according to a point-to-point model that is easier to manage and troubleshoot.

 

On RouterOS

1) Enable DynamicDNS update under IP --> Cloud menù.

/ip cloud

set ddns-enabled=yes update-time=no

2) Upon activation the RouterOS will register a dynamic DNS record in the form "aabbcc001122.sn.mynetname.net" (being "aabbcc001122" your RouterOS serial number as you can read in System --> Routerboard). "sn.mynetname.net" is a free DDNS provided by Mikrotik.

3) Check your RouterOS reachability at "aabbcc001122.sn.mynetname.net" 

 

On FortiOS

1) Configure phase1-interface

config vpn ipsec phase1-interface   edit "DDNS-IPSec"     set type ddns      set interface "wan1"     set mode aggressive     set peertype any     set proposal 3des-sha1     set localid "antares"     set dhgrp 2     set remotegw-ddns "aabbcc001122.sn.mynetname.net" <-- This is the RouterOS DDNS record (see above)     set psksecret ENC ..... next

 

2) Follow as already described above with phase2 and policies.

 

3) Configure static route (in this case static route MUST be configured, it's not automatic)

config router static   edit 33     set dst 10.5.1.0 255.255.255.0     set device "DDNS-IPSec"

 

Hope this helps.

f.

 

 

Coberas

That was helpful but it's ikev1 and I thought about ikev2. And that parameter "set remote-ddns" was brilliant, I didn't know that could exsite in cli ;)

Labels
Top Kudoed Authors