Fortigate - Mikrotik IPsec VPN not coming up in some scenarios

RouterOS General
1

Hi,

We have a Fortigate 200D NGFW as VPN server in the head office and about 60 Mikrotik RB2011UiAS devices in branches spread all over the world (see the pic).
We utilize site-to-site IPsec on both ends. FG200D has a Public static IP (175.185.27.136) and acts as HUB concentrator for all tunnels, allowing remote LAN users connect to our DMZ zone (172.130.30.0/24)
Some Mikrotiks also have a Public static IP assigned directly to ethernet1, others have a private IP becouse their ISP device configured as NAT router (mostly PPPoE static IP), which forwards 500/4500 UDP ports to mikrotik.
A few Mikrotiks connected to ISP modem which has DHCP WAN IP. This mikrotics has cloud DDNS enabled.

All mikrotiks have almost identical config, the differences are rules in firewall for accepting private IPs on WAN interface and VLAN tagging on some schemas.
Fortigate in its turn has 2 type configs - remote side with static IP and Dynamic DNS name

Everything works fine except 3 problem:

  1. The biggest TROUBLE.
    Some mikrotiks cannot bring the tunnel up after it has gone down until we reboot eihter FG200D or Mikrotik device.
    We have 2 type of errors that time - unknown information exchanged and can’t start the quick mode, there is no valid ISAKMP-SA
    We noticed that Mikrotik sometimes showed IPSEC - no phase 2, while FG200D - tunnel UP.
    But in the majority cases both side show tunnel down, and manually bringing them Down/Up at both side has no effect.
    Only full reboot one of the device fix the issue as mentioned above
    Seems that for any reson if tunnel goes down the Phase 1 become Stuck / Broken (we can`t fugure out at which side).
    By the way this often occured with many tunnels before until we corrected and matched DPD settings on both side.

  2. Two bracnhes have DHCP PPPoE WAN changing very quickly (every 5-60 minutes)
    Unfortunately they don’t have money enough to buy a dedicated line, and all ISPs (2-3) offers the same .

  3. One branch has issue with SIP telephony.
    It has IP phones connected to SIP-server in DMZ, they are able to call, can hear us, but we can`t (only some unclear intermittent sounds).
    At the same time we can browse via tcp their web, and contrariwise their ours.

Please help
FG200-forum.txt (85.4 KB)
log.-forum.txt (129 KB)
ny-forum.rsc (10.2 KB)
VPN_forum.jpg

2

Hi, no one can help?