Hot!IPsec Between Fortinet and Mikrotik

Author
rolo
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/11 10:06:23
  • Status: offline
2020/11/09 05:09:39 (permalink)
0

IPsec Between Fortinet and Mikrotik

Hello, I don't have much experience with this stuff and have a little problem if anyone can help me would be great.
i have FortiGate 40F on one side and Mikrotik 2011 on another side. i managed to build IPsec between those 2 and IP sec is UP.
But there is problem i can't have ping or any kind of connection between those 2 networks. On mikrotik i have 192.168.1.0/24 network and on fortinet side i got 192.168.60.0/24 network on Lan ports. If anyone can help me to tell me what should i check to find the problem i haven't much experience with fortigate.


https://ibb.co/0rnHQxN
https://ibb.co/JHwWsW8
https://ibb.co/kHKH6Lp
https://ibb.co/XLPxgD9
https://ibb.co/ysgG7Dy
https://ibb.co/L8vtmf7
https://ibb.co/q59nccM
#1
Toshi Esumi
Expert Member
  • Total Posts : 2450
  • Scores: 237
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: IPsec Between Fortinet and Mikrotik 2020/11/09 09:31:11 (permalink)
0
I don't see any particular problem on the 40F config, although I would remove the second static route for 192.168/16. But it shouldn't break anything even if it's there.
I would suspect the other side, but first sniff packets on the FGT while you ping from FGT's local toward the other side. You need to disable asic offloading (set auto-asic-offload diable) on both policies in CLI to see all packets. Don't forget to reenable it after you're done.
 
#2
Jirka
Gold Member
  • Total Posts : 183
  • Scores: 7
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: online
Re: IPsec Between Fortinet and Mikrotik 2020/11/09 09:51:20 (permalink)
0
Hi,
do you have a rule on Mikrotik in NAT that allows communication between subnets? It must be placed in front of a global masquerade or NAT. 
 
 /ip firewall nat> add src-address 192.168.1.0/24 dst-address 192.168.60.0/24 action=accept

 
We operate about 20+ IPsec tunnels between Mikrotik and FGT and it's rock stable.
 
Jirka
#3
rolo
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/11 10:06:23
  • Status: offline
Re: IPsec Between Fortinet and Mikrotik 2020/11/09 13:32:40 (permalink)
0
Hi, Thanks for replying for me i've created that rule too on mikrotik side of course 
https://ibb.co/WxpJB84
#4
rolo
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/11 10:06:23
  • Status: offline
Re: IPsec Between Fortinet and Mikrotik 2020/11/09 13:39:00 (permalink)
0
Hi thank you so much for replying on me i can provide mikrotik configuration too i have also rule to have 2 subnets connection between https://ibb.co/WxpJB84 .
also i will try packet sniffing too i've never done it on fortigate so ill need some time google it :D. 
any ideas what can be problem on mikrotik side i know its hard to say like this 
#5
Jirka
Gold Member
  • Total Posts : 183
  • Scores: 7
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: online
Re: IPsec Between Fortinet and Mikrotik 2020/11/09 13:46:10 (permalink)
0
Did you do a double check IPsec setting on Mikrotik? Mainly DH and PFS group settings, lifetime and NAT Traversal?
I don't think the mistake will be on FortiGate's side.
 
Jirka
 
#6
rolo
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/11 10:06:23
  • Status: offline
Re: IPsec Between Fortinet and Mikrotik 2020/11/10 01:14:23 (permalink)
0
Hi so sorry for a late reply so here is the configuration on both side 
 
https://ibb.co/H2jKx89
https://ibb.co/344018V
post edited by rolo - 2020/11/11 22:52:01
#7
supportombm
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/02 06:20:45
  • Status: offline
Re: IPsec Between Fortinet and Mikrotik 2020/11/11 08:57:03 (permalink)
0
Hi,
i'm not here to helping you sorry BUT next time ALWAYS HIDE your ips in every image. It's a must if they are open. Trust me.
 
#8
emnoc
Expert Member
  • Total Posts : 5979
  • Scores: 402
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: IPsec Between Fortinet and Mikrotik 2020/11/11 09:39:28 (permalink)
0
You need to double check phase2 but 1st have you ran any "diag debug application ike -1" on the fortigate? If you see NO packets back from the mikrotik, than investigate why. You can "diag sniffer packet any "host x.x.x.x" where x.x.x.x is the remote-gw address of the mikrotik.
 
Also I would disable replay detection and your config looks good fwiw. I would not use des or dhgp2 but that is my preference.
 
You problem is most likely  psk mismatch  or the remote-gw are timing out just look at this from a 100k foot view.
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#9
rolo
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/11 10:06:23
  • Status: offline
Re: IPsec Between Fortinet and Mikrotik 2020/11/13 05:37:18 (permalink)
0
I've managed to make it work with GRE tunnel. Ipsec just doesn't work we couldn't find it out why.
#10
ErmirMorina
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/02/15 12:38:14
  • Status: offline
Re: IPsec Between Fortinet and Mikrotik 2021/02/16 00:33:59 (permalink)
0
Hey Jirka, 
 
So I see u have a lot of experience with IPSec between Mikrotik and FGT, i have one setup between my two sites but https traffic just doesn't seem to go through, any idea why that might happen? 
Thanks a lot in advance.
#11
Jump to:
© 2021 APG vNext Commercial Version 5.5