Hot!IPsec VPN between Fortigate and Mikrotik

Author
DamianLozano
Bronze Member
  • Total Posts : 41
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/28 11:28:32
  • Status: offline
2020/07/29 14:05:10 (permalink)
0

IPsec VPN between Fortigate and Mikrotik

Hello,

I tried to create for first time a VPN between a Fortigate 60E (v5.6.0) and a Mikrotik CCR1009-7G-1C-1S+ (v6.45.7) but with issues
Used the following "guide": https://www.fastbit.ro/en/ipsec-site-to ... Sec%20Peer.
Many menues are very different in many versions of routeros and I found everything different
The first thing that catches my attention is that the "guide" asked me to create an ipsec policy, specifying the local and remote networks, I have created this, however when I see the policy, it appears with 0.0.0.0/0 as source address and the remote public IP as destination address, and dont let me change the values
In the fortigate I have another IPsec VPN with other fortigate device, which is working

This is the VPN setting in the Mikrotik:
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=3des name=profileTemp
/ip ipsec peer
add address=remotePublicIP/32 name=peerTemp profile=profileTemp
/ip ipsec proposal
add enc-algorithms=3des lifetime=1d name=proposaltemp pfs-group=modp1536
/ip ipsec identity
add peer=peerTemp secret=Argentina20
/ip ipsec policy
add dst-address=190.111.200.154/32 peer=peerTemp proposal=proposaltemp src-address=0.0.0.0/0
I made a debug in the fortigate and get the following: 
diagnose debug enable
diagnose debug application ike -1

fgt60e-iga01 # ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
ike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:bf4ddd3d len=92
ike 0: in DCD2166064C689C55C05337671EB29A808100501BF4DDD3D0000005CF6EEE2129F004C024770A4F7EC1660535C35E6FF0149DFF8B8A6D8EA577D7FC8609D202CE3274B5DB6C9444563528ED5D17F1EB9D4A9B211E89B306B1F422999
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A808100501BF4DDD3D0000005C0B00001842EAD06BCC1C1648A9EE1B77E291F050E384E63F000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691B65DC2EF2D447A507
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A8081005018D693DF2000000540B00001860924C304E7F5B65BB1DC5AAD7BFF41FB5BA8D8B000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691B
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A8081005018D693DF20000005CECCAE8EDADB77DABA6CEEB5EC49E4B69E91A960E1EDCCFB6F14361076095048978842EEC1EFA4521086B4F24FB6F5DF3E11A84C17731D76677B3B1570FB5E8BB
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:8d693df2
ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
ike 0: comes MKTpublicIP:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=e223d3ab5154f152/0000000000000000 len=344
ike 0: in E223D3AB5154F15200000000000000000110020000000000000001580D00003800000001000000010000002C010100010000002401010000800B0001000C000400015180800100058003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
ike 0:e223d3ab5154f152/0000000000000000:665: responder: main mode get 1st message...
ike 0:e223d3ab5154f152/0000000000000000:665: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:e223d3ab5154f152/0000000000000000:665: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:e223d3ab5154f152/0000000000000000:665: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:e223d3ab5154f152/0000000000000000:665: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:VPNnotWorking: ignoring IKE request, no policy configured
ike 0:e223d3ab5154f152/0000000000000000:665: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:e223d3ab5154f152/0000000000000000:665: no SA proposal chosen
ike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:7f92927e len=92
ike 0: in DCD2166064C689C55C05337671EB29A8081005017F92927E0000005C23E9E8BA922224E27410752A322D3C8F5078295313576A969995532EA5726D4645261202E16911BDF31BCE93EB53F1E49ABA13F5F5CC477A366A865642046B3F
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A8081005017F92927E0000005C0B000018A0F62FB15CB9A23E70193206725F7749387191C8000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691C38D41073DB07FB07
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A80810050115C5C594000000540B0000182BC0C54DEF16A64BDE0474940F4DAB0AFB1B3B28000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691C
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A80810050115C5C5940000005C9E37C0FEBE0D9F6DA2FFD0CBEEC540C9F7846B962BAD08D18817ED83E6F3875F647F92D107C734926113F64CCBC3B11BFB2E70E91AC57A9E553C906B490F5547
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:15c5c594
ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
ike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:4c9d7d25 len=92
ike 0: in DCD2166064C689C55C05337671EB29A8081005014C9D7D250000005CF8C4A1D282BB7CBBEEFE1DCBB527662543A776DAC5FCBBD6D7262133D4AB4B44BCEABC49BEC68566C401B6371377C0D34D87363B6666E4448774A5444231915D
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A8081005014C9D7D250000005C0B000018F2E3F9AED40BDA510EBD40639643AEE60BCC1BC7000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691D54A4BFDB8EC5AB07
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A808100501F5A92033000000540B0000187429C914D0BCEE87A3DF44E84ED729C39315D144000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691D
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A808100501F5A920330000005C14D21895B0664AA669F4F3EA38F01236EE35ACEBA85ED67C5766AE4C856E311530448E00FB67F559E2B0988FE1C5ABFFE6ADD7D4B9A0CCF3A5484AB2991D587E
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:f5a92033
ike 0:VPNnotWorking: gw negotiation timeout
ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
ike 0: comes MKTpublicIP:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Identity Protection id=e223d3ab5154f152/0000000000000000 len=344
ike 0: in E223D3AB5154F15200000000000000000110020000000000000001580D00003800000001000000010000002C010100010000002401010000800B0001000C000400015180800100058003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000148F8D83826D246B6FC7A8A6A428C11DE80D000014439B59F8BA676C4C7737AE22EAB8F5820D0000144D1E0E136DEAFA34C4F3EA9F02EC72850D00001480D0BB3DEF54565EE84645D4C85CE3EE0D0000149909B64EED937C6573DE52ACE952FA6B0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001412F5F28C457168A9702D9FE274CC010000000014AFCAD71368A1F1C96B8696FC77570100
ike 0:e223d3ab5154f152/0000000000000000:666: responder: main mode get 1st message...
ike 0:e223d3ab5154f152/0000000000000000:666: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:e223d3ab5154f152/0000000000000000:666: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:e223d3ab5154f152/0000000000000000:666: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0:e223d3ab5154f152/0000000000000000:666: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:VPNnotWorking: ignoring IKE request, no policy configured
ike 0:e223d3ab5154f152/0000000000000000:666: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:e223d3ab5154f152/0000000000000000:666: no SA proposal chosen

fgt60e-iga01 # ike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:de0a8ecb len=92
ike 0: in DCD2166064C689C55C05337671EB29A808100501DE0A8ECB0000005CCC2D99EAEC38155B2EBE42D6D05A10208A3C3AACB70CE8FF2B99ECC47E6137BDAABA52CED08EE7A99E0369BEB191C04AFE671B3869FD0147017D843592753E6B
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A808100501DE0A8ECB0000005C0B0000182B17852A73613B947EB56B68ECEB9CBFA3450EB4000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691E6C1A58ABDBC87D07
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A808100501D6B40B29000000540B000018FEA0F92D74FA46C5208DBAA51559C7334AB4A6B9000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691E
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A808100501D6B40B290000005C516C3BB76C362A610F630037159190A9CDAF6FF66769D51D369834FA294E0927CE8D32F927C922183C25B8112C251C86FD0B1C00B725FF5DD9ECB937438A4DFD
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:d6b40b29
ike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
diaike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:f4d82f23 len=92
ike 0: in DCD2166064C689C55C05337671EB29A808100501F4D82F230000005CE48AE2C546372335306B6480FC2B370C4409B3CD8A52F3839805FA4A8F5F105F2FA616A53A4FB580ACFA9F5B3E4E4FCC9EBCB64BCB991B87AB9D27AE91063D20
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A808100501F4D82F230000005C0B000018C2C6970FFEFC4C6B53E9811EE21C53BD00CC9A9E000000200000000101108D28DCD2166064C689C55C05337671EB29A80011691F2C2F7CC78E46D607
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A8081005010982D979000000540B000018D70F7978CD77A35EC43FF12ECF5710E493215746000000200000000101108D29DCD2166064C689C55C05337671EB29A80011691F
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A8081005010982D9790000005C1AB43D21F31A9DF7E82CC81C4B5B34C71D19D605876CDB331F793B4A65E486090D9D23317AEFCD8D3D050C9C032F618C396A6172E654FF036289F1EE588367B5
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:0982d979
gnose deike 0:VPNnotWorking:VPNnotWorking: IPsec SA connect 5 FGpublicIP->MKTpublicIP:0
ike 0:VPNnotWorking: ignoring request to establish IPsec SA, no policy configured
bug disaike 0: comes FGpublicIP2:500->FGpublicIP:500,ifindex=5....
ike 0: IKEv1 exchange=Informational id=dcd2166064c689c5/5c05337671eb29a8:7bdddc9e len=92
ike 0: in DCD2166064C689C55C05337671EB29A8081005017BDDDC9E0000005C92E7F23C31876941DF781405208F0F4585937381F0B07ECCF952617C03C422DBEF425E65E8C86B1CED15F551FC5B22C971B6FE5DF592B2EE1B399B35279492D6
ike 0:VPNworking:248: dec DCD2166064C689C55C05337671EB29A8081005017BDDDC9E0000005C0B00001857806043CA930CAC8F67B1BAD61876A4D2C17C75000000200000000101108D28DCD2166064C689C55C05337671EB29A80011692096A450E529E5C007
ike 0:VPNworking:248: notify msg received: R-U-THERE
ike 0:VPNworking:248: enc DCD2166064C689C55C05337671EB29A808100501078A66ED000000540B000018A3A469AF3EC99F5656C43A2843BB8A3BC1CD03CB000000200000000101108D29DCD2166064C689C55C05337671EB29A800116920
ike 0:VPNworking:248: out DCD2166064C689C55C05337671EB29A808100501078A66ED0000005CFCFF7B0D4CBEA1D1C511D05DDE738987CE3D49F39CBE5CCDD6ABB333E8722E5064ED7DE0756F6E3DBBDAF9C1C46D7AAB9AA23F2BBF59F4F7402CFC15C072C9B0
ike 0:VPNworking:248: sent IKE msg (R-U-THERE-ACK): FGpublicIP:500->FGpublicIP2:500, len=92, id=dcd2166064c689c5/5c05337671eb29a8:078a66ed
ble

 The fortigate tell me "No policy configured" do you know what policy is it talking about?

Thanks in advance.
Regards,
Damián
 
#1

9 Replies Related Threads

    brycemd
    Silver Member
    • Total Posts : 105
    • Scores: 6
    • Reward points: 0
    • Joined: 2016/12/03 11:24:30
    • Status: online
    Re: IPsec VPN between Fortigate and Mikrotik 2020/07/29 22:02:04 (permalink)
    0
    No policy configured typically means there isn't an ipv4 policy to actually allow the traffic, or a route to send traffic across the tunnel. If there isn't a firewall policy to allow or a route to send traffic, it prevents the tunnel from coming up since it wouldn't be able to send traffic across.
    post edited by brycemd - 2020/07/29 22:03:56
    #2
    sw2090
    Expert Member
    • Total Posts : 712
    • Scores: 50
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: IPsec VPN between Fortigate and Mikrotik 2020/07/30 00:39:52 (permalink)
    0
    The FGT says it hasno policy for that vpn. So go and create one on your FGT :)
    #3
    DamianLozano
    Bronze Member
    • Total Posts : 41
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: IPsec VPN between Fortigate and Mikrotik 2020/07/30 06:22:42 (permalink)
    0
    Thanks for your response,
     
    I have seen in some cases a rule with action "ipsec" from lan to wan, but in this fortigate I have not such action option.
     I thought that the rules to allow traffic through the VPN was not necessary to establish this, but I just created both rules to allow traffic from lan to vpn and vpn to lan
    This time I didnt get the no policy message, but I got the following:
    6353: notify msg received: NO-PROPOSAL-CHOSEN
     
    In the Mikrotik I had created a proposal with the same values that in the Fortigate
    Any idea?
     
    Thanks in advance.
    Regards,
    Damián
    #4
    sw2090
    Expert Member
    • Total Posts : 712
    • Scores: 50
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: IPsec VPN between Fortigate and Mikrotik 2020/07/30 06:29:27 (permalink)
    0
    NO-PROPOSAL-CHOSEN usually means that your FGT and your Mikrotik didn't find a matching pair of proposals.
    Phase1 and Phase2 both have to match at least one pair of proposals.
    Also DH Group and Key TTL have to match on both sides.
     
    #5
    DamianLozano
    Bronze Member
    • Total Posts : 41
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: IPsec VPN between Fortigate and Mikrotik 2020/07/30 07:02:10 (permalink)
    0
    Hello
    Thanks for your response.
     
    Yes, I cant see anything different
    Phase1, phase2, DH Group and LifeTime is the same in both Mikrotik and Fortigate.
     
    Any idea?
    Regards
    #6
    sw2090
    Expert Member
    • Total Posts : 712
    • Scores: 50
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: IPsec VPN between Fortigate and Mikrotik 2020/07/30 07:11:18 (permalink)
    0
    hm then you reached the "ipsec is cool if it is running. But its pain in the **** to debug" stage ;)
     
    I had the same Message when the SAs screwed up due to phase1 auto negotiation. This happened when one end of a tunnel went down and DPD was active. DPD on the other side then noticed the other side being down and threw a way the tunnel as it is supposed to. P1 Auto negotiation then asap tried to re-establish the tunnel which caused a "dead end" . Auto negotion created a new sa for the tunnel which didn't go through since the other end was still down. But then this side kept answering requests from the other side via the "dead end" until some timout took that away.
     
    You could try to force that on FGt cli with the commands:
     
    diag vpn ike gateway clear [name <phase1-name>   ]
    diag vpn ike restart
     
    the first one kills all ike SAs or the one specified by "name <p1 name>" behind the command
    the second one restarts the ike service
     
    In my case this helped.
     
     You could also try to disable p1 auto negotiation on the FGT to have the tunnel triggered only by the Mikrotik.
    This also can only be done on FGT Cli because it is not available on gui for unknown fortinet reasons.
     
    config vpn ipsec phase1-interface
    edit <phase1-name>
    set auto-negotiation disable
    end
     
    I am not sure about the set command here but you could enter set auto and press tab and you will find it.
    FGT cli does have tab completion :)
    post edited by sw2090 - 2020/07/30 07:14:25
    #7
    DamianLozano
    Bronze Member
    • Total Posts : 41
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: IPsec VPN between Fortigate and Mikrotik 2020/07/30 08:33:47 (permalink)
    0
    Hello, thanks for your response.
    The first commands you gave me didnt work.
    In the Mikrotik, "active peer" tab, "side" column, it appears as "responder", I changed the auto-negotiate option to disabled in the fortigate, which I think is to trigger the tunnel from the Mikrotik side.
    I am not sure but maybe the "responder" value means that the Fortigate tried to start the tunnel and Mikrotik answered, this means that disabling the auto-negotiate option is not doing what I supposed to do. Am I right?
    Anyway I tried to enable the auto-negotiate in the Fortigate and set "passive" in the Mikrotik peer with the same behavior
    In the Mikrotik policies, it appears as "no phase2", which means that the issue is with phase2.
    I set in both sides:
    Auth algorithms: only sha1
    Encr algorithms: only 3des
    However, in the Mikrotik I set modp1536 as PFS Group, but I dont have any option like this in the fortigate, I only have the "Enable Perfect Forward Secrecy (PFS)" enabled, but I cant select anything.
    Could be the problem that sha1-3des work different in Mikrotik and Fortigate?
    Do you have any working configuration?
    Regards,
    Damián
    #8
    DamianLozano
    Bronze Member
    • Total Posts : 41
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/28 11:28:32
    • Status: offline
    Re: IPsec VPN between Fortigate and Mikrotik 2020/07/30 12:53:29 (permalink)
    0
    Thanks, I make it work with another tutorial in my languaje.
    Maybe later could copy here the settings
    #9
    sw2090
    Expert Member
    • Total Posts : 712
    • Scores: 50
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: IPsec VPN between Fortigate and Mikrotik 2020/07/30 23:15:32 (permalink)
    0
    modp1536 equals to DH Group 5 on the Fortigate.
    You can find a modp-to-dhgroup table e.g. in Strongswan Wiki: https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
     
    Ciphers are stadardized - there should be no difrence. SHA1 is SHA1 everywhere.
     
    #10
    Jump to:
    © 2020 APG vNext Commercial Version 5.5