IPsec Between Fortinet and Mikrotik | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Hot!IPsec Between Fortinet and Mikrotik

Author Post Essentials Only Full Version
rolo New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2020/09/11 10:06:23 Status: offline 2020/11/09 05:09:39 (permalink) 0 IPsec Between Fortinet and Mikrotik Hello, I don't have much experience with this stuff and have a little problem if anyone can help me would be great. i have FortiGate 40F on one side and Mikrotik 2011 on another side. i managed to build IPsec between those 2 and IP sec is UP. But there is problem i can't have ping or any kind of connection between those 2 networks. On mikrotik i have 192.168.1.0/24 network and on fortinet side i got 192.168.60.0/24 network on Lan ports. If anyone can help me to tell me what should i check to find the problem i haven't much experience with fortigate. https://ibb.co/0rnHQxN https://ibb.co/JHwWsW8 https://ibb.co/kHKH6Lp https://ibb.co/XLPxgD9 https://ibb.co/ysgG7Dy https://ibb.co/L8vtmf7 https://ibb.co/q59nccM #1 IPsec, FortiGate, VPN 10 Replies Related Threads
Toshi Esumi Expert Member Total Posts : 2450 Scores: 237 Reward points: 0 Joined: 2014/11/06 09:56:42 Status: offline Re: IPsec Between Fortinet and Mikrotik 2020/11/09 09:31:11 (permalink) 0 I don't see any particular problem on the 40F config, although I would remove the second static route for 192.168/16. But it shouldn't break anything even if it's there. I would suspect the other side, but first sniff packets on the FGT while you ping from FGT's local toward the other side. You need to disable asic offloading (set auto-asic-offload diable) on both policies in CLI to see all packets. Don't forget to reenable it after you're done. #2
Jirka Gold Member Total Posts : 183 Scores: 7 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: online Re: IPsec Between Fortinet and Mikrotik 2020/11/09 09:51:20 (permalink) 0 Hi, do you have a rule on Mikrotik in NAT that allows communication between subnets? It must be placed in front of a global masquerade or NAT. /ip firewall nat> add src-address 192.168.1.0/24 dst-address 192.168.60.0/24 action=accept We operate about 20+ IPsec tunnels between Mikrotik and FGT and it's rock stable. Jirka #3
rolo New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2020/09/11 10:06:23 Status: offline Re: IPsec Between Fortinet and Mikrotik 2020/11/09 13:32:40 (permalink) 0 Hi, Thanks for replying for me i've created that rule too on mikrotik side of course https://ibb.co/WxpJB84 #4
rolo New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2020/09/11 10:06:23 Status: offline Re: IPsec Between Fortinet and Mikrotik 2020/11/09 13:39:00 (permalink) 0 Hi thank you so much for replying on me i can provide mikrotik configuration too i have also rule to have 2 subnets connection between https://ibb.co/WxpJB84 . also i will try packet sniffing too i've never done it on fortigate so ill need some time google it :D. any ideas what can be problem on mikrotik side i know its hard to say like this #5
Jirka Gold Member Total Posts : 183 Scores: 7 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: online Re: IPsec Between Fortinet and Mikrotik 2020/11/09 13:46:10 (permalink) 0 Did you do a double check IPsec setting on Mikrotik? Mainly DH and PFS group settings, lifetime and NAT Traversal? I don't think the mistake will be on FortiGate's side. Jirka #6
rolo New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2020/09/11 10:06:23 Status: offline Re: IPsec Between Fortinet and Mikrotik 2020/11/10 01:14:23 (permalink) 0 Hi so sorry for a late reply so here is the configuration on both side https://ibb.co/H2jKx89 https://ibb.co/344018V post edited by rolo - 2020/11/11 22:52:01 #7
supportombm New Member Total Posts : 20 Scores: 0 Reward points: 0 Joined: 2019/12/02 06:20:45 Status: offline Re: IPsec Between Fortinet and Mikrotik 2020/11/11 08:57:03 (permalink) 0 Hi, i'm not here to helping you sorry BUT next time ALWAYS HIDE your ips in every image. It's a must if they are open. Trust me. #8
emnoc Expert Member Total Posts : 5979 Scores: 402 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: IPsec Between Fortinet and Mikrotik 2020/11/11 09:39:28 (permalink) 0 You need to double check phase2 but 1st have you ran any "diag debug application ike -1" on the fortigate? If you see NO packets back from the mikrotik, than investigate why. You can "diag sniffer packet any "host x.x.x.x" where x.x.x.x is the remote-gw address of the mikrotik. Also I would disable replay detection and your config looks good fwiw. I would not use des or dhgp2 but that is my preference. You problem is most likely psk mismatch or the remote-gw are timing out just look at this from a 100k foot view. Ken Felix PCNSE NSE StrongSwan #9
rolo New Member Total Posts : 13 Scores: 0 Reward points: 0 Joined: 2020/09/11 10:06:23 Status: offline Re: IPsec Between Fortinet and Mikrotik 2020/11/13 05:37:18 (permalink) 0 I've managed to make it work with GRE tunnel. Ipsec just doesn't work we couldn't find it out why. #10
ErmirMorina New Member Total Posts : 1 Scores: 0 Reward points: 0 Joined: 2021/02/15 12:38:14 Status: offline Re: IPsec Between Fortinet and Mikrotik 2021/02/16 00:33:59 (permalink) 0 Hey Jirka, So I see u have a lot of experience with IPSec between Mikrotik and FGT, i have one setup between my two sites but https traffic just doesn't seem to go through, any idea why that might happen? Thanks a lot in advance. #11

Jump to:

© 2021 APG vNext Commercial Version 5.5