Gre Ipsec between Mikrotik and Fortigate

zuku · March 6, 2021, 10:14pm

Hi,
I’m trying to connect Mikrotik with Fortigate using Gre over Ipsec but I’m stuck already on Ipsec Phase 1 exchange, maybe anyone is familiar with Fortigate devices?
Fortigate config:

config vpn ipsec phase1-interface
    edit "ipsec_p1"
        set interface "port16"
        set ike-version 2
        set local-gw FGT_WAN
        set keylife 3600
        set peertype any
        set net-device disable
        set proposal aes256-sha256
        set dhgrp 21
        set remote-gw MIKROTIK_WAN
        set psksecret password
    next
end
config vpn ipsec phase2-interface
    edit "ipsec_p2"
        set phase1name "ipsec_p1"
        set proposal aes256-sha256
        set dhgrp 21
        set encapsulation transport-mode
        set protocol 47
    next
end

Mikrotik config:

/ip ipsec policy group
add name=group1

/ip ipsec profile> print
Flags: * - default 
 1   name="FGT" hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=ecp521 lifetime=1d 
     proposal-check=obey nat-traversal=yes dpd-interval=disable-dpd 

/ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder 
 0     name="FGT" address=FGT_WAN/32 local-address=MIKROTIK_WAN port=500 
       profile=FGT exchange-mode=ike2 send-initial-contact=yes 
       
/ip ipsec proposal> print
Flags: X - disabled, * - default 
 1    name="FGT" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=0s 
      pfs-group=ecp521 
      
 /ip ipsec identity> print
Flags: D - dynamic, X - disabled 
      peer=FGT auth-method=pre-shared-key secret="password" generate-policy=no 
      
/ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 1     src-address=MIKROTIK_WAN/32 src-port=any dst-address=FGT_WAN/32 dst-port=any 
       protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no 
       proposal=FGT ph2-count=0

Debug from Fortigate:

FGT # ike 0: comes MIKROTIK_WAN:500->FORTIGATE_WAN:500,ifindex=22....
ike 0: IKEv2 exchange=SA_INIT id=7db77dde33559db9/0000000000000000 len=300
ike 0: in 7DB77DDE33559DB9000000000000000029202208000000000000012C2900001C000040058127764BBADB7244D1E0779C7B6DB9E7F017782D2800001C000040040C756A50A4894E77195676AE85309213A81D7AEA2200001CAF2203E8EE1329DDF0FCA70E3F6E459E34A50CBEFE0EEA7B2100008C0015000000019347E6A359CE73A61BAC722E10AAD7349FF180904339F3CBC0CDAF
ike 0:7db77dde33559db9/0000000000000000:296: responder received SA_INIT msg
ike 0:7db77dde33559db9/0000000000000000:296: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:7db77dde33559db9/0000000000000000:296: received notify type NAT_DETECTION_SOURCE_IP
ike 0:7db77dde33559db9/0000000000000000:296: incoming proposal:
ike 0:7db77dde33559db9/0000000000000000:296: proposal id = 1:
ike 0:7db77dde33559db9/0000000000000000:296:   protocol = IKEv2:
ike 0:7db77dde33559db9/0000000000000000:296:      encapsulation = IKEv2/none
ike 0:7db77dde33559db9/0000000000000000:296:         type=ENCR, val=AES_CBC (key_len = 256)
ike 0:7db77dde33559db9/0000000000000000:296:         type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:7db77dde33559db9/0000000000000000:296:         type=PRF, val=PRF_HMAC_SHA2_512
ike 0:7db77dde33559db9/0000000000000000:296:         type=DH_GROUP, val=ECP521.
ike 0:7db77dde33559db9/0000000000000000:296: no proposal chosen
ike Negotiate SA Error: ike ike  [10366]

zuku · March 7, 2021, 8:37am

I’ve done some progress, but still no success. Fortigate debug:

ike 0: comes MIKROTIK:500->FGT:500,ifindex=22....
ike 0: IKEv2 exchange=SA_INIT id=24040f12e74e1c2d/0000000000000000 len=300
ike 0: in 24040F12E74E1C2D000000000000000029202208000000000000012C2900001C00004005AF6CFBCBE080BF0056BB0221242A30A007C444CA2800001C0000400451089741C5251A494AA0E601439B661AB40CCBF42200001CD263C5B8CCA0BF6C153A9A5968BDB653B30A80D81DD2CFDA2100008C00150000007A1CBEB9FE5662F4F75579281CBD6B1192085E23A0A5BEF34772520C4F3D8E866AE5C27DC665A1A121E8E588A019296D94C88D3315154BE4D0097FDF6D3F5B4EFE012C8DA7D34EC9209FEFC14C5CED0BFDE5412E2B27847DAD572583935DC450037E498404FEED67040D5D4468A577BDC226C438DFBA6A9C1B3568BA09C0C7CFDC49F5000000300000002C010100040300000C0100000C800E01000300000802000007030000080300000E0000000804000015
ike 0:24040f12e74e1c2d/0000000000000000:5525: responder received SA_INIT msg
ike 0:24040f12e74e1c2d/0000000000000000:5525: received notify type NAT_DETECTION_DESTINATION_IP
ike 0:24040f12e74e1c2d/0000000000000000:5525: received notify type NAT_DETECTION_SOURCE_IP
ike 0:24040f12e74e1c2d/0000000000000000:5525: incoming proposal:
ike 0:24040f12e74e1c2d/0000000000000000:5525: proposal id = 1:
ike 0:24040f12e74e1c2d/0000000000000000:5525:   protocol = IKEv2:
ike 0:24040f12e74e1c2d/0000000000000000:5525:      encapsulation = IKEv2/none
ike 0:24040f12e74e1c2d/0000000000000000:5525:         type=ENCR, val=AES_CBC (key_len = 256)
ike 0:24040f12e74e1c2d/0000000000000000:5525:         type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:24040f12e74e1c2d/0000000000000000:5525:         type=PRF, val=PRF_HMAC_SHA2_512
ike 0:24040f12e74e1c2d/0000000000000000:5525:         type=DH_GROUP, val=ECP521.
ike 0:24040f12e74e1c2d/0000000000000000:5525: no proposal chosen
ike Negotiate SA Error: ike ike  [10366]
ike 0:dusz_wan1_p1:dusz_wan1_p2: IPsec SA connect 22 FGT->MIKROTIK:0
ike 0:dusz_wan1_p1:dusz_wan1_p2: using existing connection
ike 0:dusz_wan1_p1:dusz_wan1_p2: config found
ike 0:dusz_wan1_p1: request is on the queue
ike 0:dusz_wan1_p1:dusz_wan1_p2: IPsec SA connect 22 FGT->MIKROTIK:0
ike 0:dusz_wan1_p1:dusz_wan1_p2: using existing connection
ike 0:dusz_wan1_p1:dusz_wan1_p2: config found
ike 0:dusz_wan1_p1: request is on the queue
ike 0:dusz_wan1_p1:5522: out E0D5C8099B405874000000000000000021202208000000000000013C220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C00000008040000152800008C0015000000A840F6CC482842EBD88650A8D30FEC45E40DBF24ABCEF22BC89DF6FDD965E3DB0860E35C8725F9879B76CC80E7F3ECECD0090599E716AD4CC00EC6EFB9985FE37E011CA102CBE7C2DD7B663ADA84DCB47AA31AF0D7F48864137BA6D7DD0FB4C55BFA5C4DA4E2731B8003C1BDCA5873BC12E55B9DC545AC3BB4CD497AF49510229D87CD290000242ED2022546999170633B3AC196207EDAB8CEDED198F9525D9015E8DCB4887BBB2900001C000040048DFE1B27CD8536E63266F6A001904F078BA6BD382900001C00004005904632F1F33C666E152FC32FD6D2B49556CE6D3E000000080000402E
ike 0:dusz_wan1_p1:5522: sent IKE msg (RETRANSMIT_SA_INIT): FGT:500->MIKROTIK:500, len=316, id=e0d5c8099b405874/0000000000000000

After this line:

ike 0:24040f12e74e1c2d/0000000000000000:5525:         type=DH_GROUP, val=ECP521.

I should get settings ISAKMP SA Lifetime eg:

ike 0:84a65a65d61b58b1/0000000000000000:50: ISAKMP SA lifetime=86400

but I don’t get this, I get an error no proposal chosen.

First time on Mikrotik side on “Installed SA” something appear:

admin@] /ip ipsec installed-sa> print 
Flags: H - hw-aead, A - AH, E - ESP 
 0  E spi=0 src-address=MIKROTIK_WAN dst-address=FGT_WAN state=larval add-life
      replay=0

mada3k · March 7, 2021, 10:21am

Can’t recall it right now but I had to set some “peer-identity-type” or “localid-type address” on the Fortigate to make a regular IPSec tunnel work at least. It’s was the Mikrotik that simply denied the setup, not the Fortigate.

zuku · March 7, 2021, 10:27am

I have corrected Hash Algoritm in Ipsec Profiles, was sha512, should be sha256, now it is the same as on Fortigate, but still no success

1 name="FGT" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=ecp521 lifetime=1d 
     proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

zuku · March 7, 2021, 11:15am

added this one to Fortigate Phase1:

set peertype any
set localid "OUTGOING_WAN_IP"

zuku · March 8, 2021, 8:05am

could anyone help me?
my Phase1 between FGT and mikrotik is established, problem is with match selectors on both sides, as this is ipsec in Transport mode, my selectors are simply set as wan ip addresses of this two sites.

please look what FGT debug shows:

ike 0:dusz_wan1_ipsec:1877:2363: TSr_0 0:x.x.x.122-x.x.x.122:0
ike 0:dusz_wan1_ipsec:1877:2363: TSi_0 0:x.x.x.82-x.x.x.82:0
ike 0:dusz_wan1_ipsec:1877:dusz_wan1_p2:2363: comparing selectors
ike 0:dusz_wan1_ipsec:1877:dusz_wan1_p2:2363: failed to match peer selectors

this is what mikrotik show, x.x.x.122 - mikrotik side:

08:58:12 ipsec,debug decrypted 
08:58:12 ipsec payload seen: NOTIFY 
08:58:12 ipsec payload seen: SA 
08:58:12 ipsec payload seen: NONCE 
08:58:12 ipsec payload seen: KE 
08:58:12 ipsec payload seen: TS_I 
08:58:12 ipsec payload seen: TS_R 
08:58:12 ipsec create child: respond 
08:58:12 ipsec processing payload: NONCE 
08:58:12 ipsec processing payloads: NOTIFY 
08:58:12 ipsec   notify: USE_TRANSPORT_MODE 
08:58:12 ipsec processing payloads: NOTIFY 
08:58:12 ipsec   notify: USE_TRANSPORT_MODE 
08:58:12 ipsec peer wants transport mode 
08:58:12 ipsec processing payload: CONFIG (not found) 
08:58:12 ipsec processing payload: TS_I 
08:58:12 ipsec x.x.x.82 
08:58:12 ipsec processing payload: TS_R 
08:58:12 ipsec x.x.x.122 
08:58:12 ipsec canditate selectors: x.x.x.122 <=> x.x.x.82 
08:58:12 ipsec processing payload: SA 
08:58:12 ipsec IKE Protocol: ESP 
08:58:12 ipsec  proposal #1 
08:58:12 ipsec   enc: aes256-cbc 
08:58:12 ipsec   auth: sha256 
08:58:12 ipsec   dh: ecp521 
08:58:12 ipsec searching for policy for selector: x.x.x.122 <=> x.x.x.82 
08:58:12 ipsec using strict match: x.x.x.122 <=> x.x.x.82 
08:58:12 ipsec matched proposal: 
08:58:12 ipsec  proposal #1 
08:58:12 ipsec   enc: aes256-cbc 
08:58:12 ipsec   auth: sha256 
08:58:12 ipsec   dh: ecp521 
08:58:12 ipsec processing payload: KE 
08:58:12 ipsec,debug => shared secret (size 0x42) 
08:58:12 ipsec,debug 00982704 d2395a6d 128e7f72 d3a55f81 c0f65be1 e51aaceb 53aebb2a c8a7bc4c 
08:58:12 ipsec,debug 201854cd 89704025 3d9c4d22 1b0908f0 7db4ce43 4e538ef8 9f3341b6 f62a5d3d 
08:58:12 ipsec,debug 0c75 
08:58:12 ipsec create child: finish 
08:58:12 ipsec adding payload: NONCE 
08:58:12 ipsec,debug => (size 0x1c) 
08:58:12 ipsec,debug 0000001c 27ab94b1 59fa10e7 aeb76293 a15316b9 e16baa3b 4a5851fc 
08:58:12 ipsec adding payload: KE 
08:58:12 ipsec,debug => (size 0x8c) 
08:58:12 ipsec,debug 0000008c 00150000 01e04a40 3a5c5722 bec98ff3 ed620051 b1cabcf5 12f39437 
08:58:12 ipsec,debug f6499311 84d94f6f f08ca50e a79ff165 b494600e 2381240f ac601943 bb6d3b37 
08:58:12 ipsec,debug a8a39aa7 4ade3b71 422101f7 3bc04b7b d4e02d87 9368fa79 78f79e36 124c6bec 
08:58:12 ipsec,debug 5087022e d3c6921b 38389674 1eed5d83 9e2956c4 33918d5f a6d3f750 e3b6bda0 
08:58:12 ipsec,debug 5da7abda bc633818 662e2538 
08:58:12 ipsec initiator selector: x.x.x.82 
08:58:12 ipsec adding payload: TS_I 
08:58:12 ipsec,debug => (size 0x18) 
08:58:12 ipsec,debug 00000018 01000000 07000010 0000ffff d9619a52 d9619a52 
08:58:12 ipsec responder selector: x.x.x.122 
08:58:12 ipsec adding payload: TS_R 
08:58:12 ipsec,debug => (size 0x18) 
08:58:12 ipsec,debug 00000018 01000000 07000010 0000ffff 5036f67a 5036f67a 
08:58:12 ipsec adding payload: SA 
08:58:12 ipsec,debug => (size 0x34) 
08:58:12 ipsec,debug 00000034 00000030 01030404 085febfb 0300000c 0100000c 800e0100 03000008 
08:58:12 ipsec,debug 0300000c 03000008 04000015 00000008 05000000 
08:58:12 ipsec adding notify: USE_TRANSPORT_MODE 
08:58:12 ipsec,debug => (size 0x8) 
08:58:12 ipsec,debug 00000008 00004007 
08:58:12 ipsec <- ike2 reply, exchange: CREATE_CHILD_SA:631 x.x.x.82[77] 
08:58:12 ipsec,debug ===== sending 448 bytes from x.x.x.122[500] to x.x.x.82[77] 
08:58:12 ipsec,debug 1 times of 448 bytes message will be sent to x.x.x.82[77] 
08:58:12 ipsec,debug => child keymat (size 0x80) 
08:58:12 ipsec,debug c221e926 254fbebe 8f3d0683 159098db 04c2caae 1f354106 1a7f68e6 c4791f9c 
08:58:12 ipsec,debug 23af6166 b6971d63 a4b04b66 d640dfa0 4e577ef3 bd99a61f 81bc9401 159010b2 
08:58:12 ipsec,debug 879ecbbd ba8011bc 391278bc feb2113a b77c43c6 5ff9236a 0f5285d5 f7b84386 
08:58:12 ipsec,debug 33e1ab8a 91f55411 1aaa25bb 0562f141 7cb74b0c bd10830f d514b9e8 6c8de11b 
08:58:12 ipsec IPsec-SA established: x.x.x.82[77]->x.x.x.122[500] spi=0x85febfb 
08:58:12 ipsec IPsec-SA established: x.x.x.122[500]->x.x.x.82[77] spi=0x59e08b68 
08:58:13 ipsec,debug ===== received 80 bytes from x.x.x.82[77] to x.x.x.122[500] 
08:58:13 ipsec -> ike2 request, exchange: INFORMATIONAL:632 x.x.x.82[77] 
08:58:13 ipsec payload seen: ENC 
08:58:13 ipsec processing payload: ENC 
08:58:13 ipsec,debug => iv (size 0x10) 
08:58:13 ipsec,debug a80fd68d f9b9beda 90d196c3 cf47caa3 
08:58:13 ipsec,debug => plain payload (trimmed) (size 0xc) 
08:58:13 ipsec,debug 0000000c 0304000b 59e08b68 
08:58:13 ipsec,debug decrypted 
08:58:13 ipsec payload seen: NOTIFY 
08:58:13 ipsec respond: info 
08:58:13 ipsec processing payloads: NOTIFY 
08:58:13 ipsec   notify: INVALID_SPI 
08:58:13 ipsec got error: INVALID_SPI 
08:58:13 ipsec processing payloads: DELETE (none found) 
08:58:13 ipsec,debug sending empty reply 
08:58:13 ipsec <- ike2 reply, exchange: INFORMATIONAL:632 x.x.x.82[77] 
08:58:13 ipsec,debug ===== sending 112 bytes from x.x.x.122[500] to x.x.x.82[77] 
08:58:13 ipsec,debug 1 times of 112 bytes message will be sent to x.x.x.82[77] 
08:58:17 ipsec,debug ===== received 352 bytes from x.x.x.82[77] to x.x.x.122[500] 
08:58:17 ipsec -> ike2 request, exchange: CREATE_CHILD_SA:633 x.x.x.82[77] 
08:58:17 ipsec payload seen: ENC 
08:58:17 ipsec processing payload: ENC 
08:58:17 ipsec,debug => iv (size 0x10) 
08:58:17 ipsec,debug 3e0e103f d18d3ef9 d38bf496 7dccc301 
08:58:17 ipsec,debug => plain payload (trimmed) (first 0x100 of 0x110) 
08:58:17 ipsec,debug 2100000c 03044007 59e08b69 28000034 00000030 01030404 59e08b69 0300000c 
08:58:17 ipsec,debug 0100000c 800e0100 03000008 0300000c 03000008 04000015 00000008 05000000 
08:58:17 ipsec,debug 22000014 e068e447 3c476474 fc51158a a8ce3ee2 2c00008c 00150000 000b38f4 
08:58:17 ipsec,debug 2cc75a75 fa507bc8 b5706b5b f26b92e7 f73f93f2 c145c779 052ec94c 6abd3984 
08:58:17 ipsec,debug 34528986 e7398656 e4d3b335 04b0dcca 1793fd39 61b6bcae 6e320a0e 31180160 
08:58:17 ipsec,debug 1ecd41e5 0544121b 77c98801 69464045 5c622d0e b127b26f c5602029 e90c1238 
08:58:17 ipsec,debug e25246ae e3351e43 ec31c578 eee678a5 aaedfac0 04b4d873 0227f8d5 8b9b4940 
08:58:17 ipsec,debug 2d000018 01000000 07000010 0000ffff d9619a52 d9619a52 00000018 01000000

Krlitos24 · August 12, 2024, 3:33pm

Hi, you were able to solve the problem

LK7R · October 3, 2024, 4:02pm

There is KB on FortiNet forum how to establish normal IKEv2 ipsec tunel.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-up-IPsec-VPN-between-FortiGate-and-Mikrotik/ta-p/340691

Use that guide for base ipsec configuration and then adjust it for GRE use. Specificaly create GRE interface on FortiGate and Mikrotik, give it IP address from /30 subnet (like 172.16.1.0/30 for example), that will be used for routing purposes.

Here is another FortiNet KB that has GRE info in it. Below is example.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-and-verifying-a-GRE-over-an-IPsec/ta-p/198068

Here are FortiOS CLI commands to create ipsec and GRE, or use it as guide for web interface. Unfortunately, GRE stuff can be done only via CLI if i am not mistaken.

Fortigate ipsec VPN Phase1:

config vpn ipsec phase1-interface
    edit "IPSec-GRE"
        set interface "wan1"
        set ike-version 2
        set keylife 28800
        set peertype any
        set net-device disable
        set proposal aes256-sha256
        set npu-offload disable
        set dhgrp 14
        set nattraversal disable
        set remote-gw 1.0.0.2
        set psksecret <secret key>
        set dpd-retrycount 5
        set dpd-retryinterval 120
    next
end

FortiGate ipsec VPN Phase2:

config vpn ipsec phase2-interface
    edit "GREoIPsec"
        set phase1name "IPSec-GRE"
        set proposal aes256-sha256
        set dhgrp 14
        set auto-negotiate enable
        set encapsulation transport-mode
        set protocol 47
        set keylifeseconds 3600
    next
end

FortiGate create GRE interface:

config system gre-tunnel
    edit "GRE-interface"
        set interface "IPSec-GRE"
        set remote-gw 10.0.0.2
        set local-gw 10.0.0.1
    next
end

FortiGate configure GRE interface:

config system interface
    edit "GRE-interface"
        set vdom "root"
        set ip 172.16.1.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 172.16.1.2 255.255.255.255
        set interface "IPSec-GRE"
    next
end

Do not forget to create static routes on FortiGate and some IPv4 policies otherwise tunel won’t come up. Routing network between sites would be that 172.16.1.0/30 subnet.

On MikroTik side, use basicaly exact configuration that is in the KB from FortiNet with following exception.
In step called “Next, define which networks will communicate with each other through the VPN tunnel.” Enter IP adresses of WAN interfaces instead of internal interfaces (10.0.0.1 as local and 10.0.0.2 as remote). Uncheck “Tunnel” and “Protocol” set to “47” (GRE).

Example of MikroTik policy that differ from FortiNet KB

/ip/ipsec/policy/set src-address=10.0.0.1 dst-address=10.0.0.2 peer=fortigate protocol=gre action=encrypt level=require tunnel=no disabled=no

It works quite good (usign 6.x or 7.x RouterOS and 6+ FortiOS). Only problem is that tunnel sometimes crashes with error “Invalid ESP packet detected (HMAC validation failed)” that i wasn’t able to solve yet (i am using script netwatch script to check other side of GRE tunnel, if not accessible, then it resets ipsec tunnel).

Here is that netwatch script

/tool/netwatch/set type=simple timeout=1s interval=1m host=172.16.1.1 start-delay=1m

Here is that netwatch script on “down” condition.

:log info "IPsec-GRE is down, reseting."
/ip ipsec active-peers kill-connections

Here is that netwatch script on “up” condition.

:log info "IPsec tunel ok"
/tool e-mail send to="email@address.org" subject="$[/system identity get name] IPsec problem" body="IPsec tunnel down, $[/system identity get name] tunel was reseted."

Hope it helps someone.