Hi
so I have IKEv2 + GRE working between a CHR and a Fortigate in tunnel mode and from the Fortigate I can ping the IP of the loopback bridge which was created on the Mikrotik but vice versa, from the Mikrotik I can’t ping the corresponding IP of the tunnel interface of the Fortigate. Pings are allowed and rules are in place on the Fortigate. If I only allow GRE traffic from the Forti to the Tik, GRE tunnel gets connected immediately. If I only allow the other way, from the Tik to the Forti, the tunnel stays down.
It seems to me that the Mikrotik is missing a route or someting and can’t initate a connection to the IP of the Fortigate.
Where to look? Any NAT/masquerade exceptions to make on the Mikrotik?
Various firewall rules are in place but it still doesn’t work if I put “allow all” rules on top of the chains.
I can post the whole config of both sides, or just let me know which parts could be interesting.
Thanks!
hi.
t seems to me that the Mikrotik is missing a route or someting and can’t initate a connection to the IP of the Fortigate.
Where to look? Any NAT/masquerade exceptions to make on the Mikrotik?
Various firewall rules are in place but it still doesn’t work if I put “allow all” rules on top of the chains.
how about show us the output from both devices where the tunnel activated:
show which device act as the server?
show ip interface brief
show ip route list
show ip filter list, if any.
show ip lan subnet, for both sides.
Hi,
what output do you mean? Also I don’t know about these Cisco commands. Here’s the configs though:
The IPSEC tunnel is up btw, the MT just can’t initiate a GRE tunnel to the Fortigate, but the other direction works just fine.
I mostly want to understand why the MT can’t initiate the GRE tunnel.
Mikrotik:
# mar/26/2023 01:17:11 by RouterOS 7.8
# software id =
#
/interface bridge
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
/interface gre
add local-address=192.168.99.1 name=GRE-FGT remote-address=192.168.99.5
add local-address=192.168.99.1 name=GRE-LAB36 remote-address=192.168.99.2
add local-address=192.168.99.1 name=GRE-LAB3532 remote-address=192.168.99.3
/interface list
add name=trusted_FullyMeshedVPN-Interfaces
add name=trusted_Internal-Interfaces
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add address=192.168.99.3 address-prefix-length=32 name=LAB3532 split-include=192.168.99.1/32 system-dns=no
/ip ipsec policy group
add name=LAB3532
/ip ipsec profile
add dh-group=modp8192 enc-algorithm=aes-256 hash-algorithm=sha512 name=LAB36 nat-traversal=no prf-algorithm=sha512 proposal-check=strict
add dh-group=modp8192 enc-algorithm=aes-256 hash-algorithm=sha512 name=LAB3532 nat-traversal=no prf-algorithm=sha512 proposal-check=strict
add dh-group=modp8192 enc-algorithm=aes-256 hash-algorithm=sha512 name=FGT nat-traversal=no proposal-check=strict
/ip ipsec peer
add address=192.168.37.34/32 exchange-mode=ike2 name=LAB36 profile=LAB36
add address=192.168.37.1/32 exchange-mode=ike2 name=FGT profile=FGT
add exchange-mode=ike2 name=LAB3532 passive=yes profile=LAB3532
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=LAB36 pfs-group=modp8192
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=LAB3532 pfs-group=modp8192
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=FGT pfs-group=modp8192
/port
set 0 name=serial0
set 1 name=serial1
/ip neighbor discovery-settings
set protocol=""
/interface list member
add interface=GRE-LAB36 list=trusted_FullyMeshedVPN-Interfaces
add interface=GRE-LAB3532 list=trusted_FullyMeshedVPN-Interfaces
add interface=ether1 list=trusted_Internal-Interfaces
add interface=ether2 list=trusted_Internal-Interfaces
add interface=GRE-FGT list=trusted_FullyMeshedVPN-Interfaces
/ip address
add address=192.168.35.14/28 interface=ether1 network=192.168.35.0
add address=192.168.35.30/28 interface=ether2 network=192.168.35.16
add address=192.168.37.18/28 interface=ether3 network=192.168.37.16
add address=192.168.99.1 interface=loopback network=192.168.99.1
add address=10.0.0.1/30 interface=GRE-LAB36 network=10.0.0.0
add address=10.0.0.5/30 interface=GRE-LAB3532 network=10.0.0.4
add address=10.0.0.14/30 interface=GRE-FGT network=10.0.0.12
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.35.0/28 list=trusted_LAB-Networks
add address=192.168.35.16/28 list=trusted_LAB-Networks
add address=192.168.35.32/28 list=trusted_LAB-Networks
add address=192.168.35.48/28 list=trusted_LAB-Networks
add address=192.168.36.0/28 list=trusted_LAB-Networks
add address=192.168.36.16/28 list=trusted_LAB-Networks
add address=192.168.25.0/24 list=trusted_LAB-Networks
/ip firewall filter
add action=accept chain=input dst-port=500,4500 in-interface=ether3 protocol=udp src-address=192.168.37.0/24
add action=accept chain=input in-interface=ether3 protocol=ipsec-esp src-address=192.168.37.0/24
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input connection-state=new in-interface-list=trusted_Internal-Interfaces src-address-list=trusted_LAB-Networks
add action=accept chain=input connection-state=new in-interface-list=trusted_FullyMeshedVPN-Interfaces src-address-list=trusted_LAB-Networks
add action=accept chain=input in-interface=ether3 protocol=icmp
add action=accept chain=input connection-state=new dst-port=8291 protocol=tcp src-address=192.168.25.0/24
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid protocol=!gre
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether3
add action=accept chain=forward connection-state=new in-interface-list=trusted_Internal-Interfaces src-address-list=trusted_LAB-Networks
add action=accept chain=forward connection-state=new in-interface-list=trusted_FullyMeshedVPN-Interfaces src-address-list=trusted_LAB-Networks
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3 protocol=!gre src-address=192.168.35.0/28
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3 protocol=!gre src-address=192.168.35.16/28
/ip ipsec identity
add my-id=key-id:LAB35 peer=LAB36 remote-id=key-id:LAB36
add generate-policy=port-strict mode-config=LAB3532 peer=LAB3532 policy-template-group=LAB3532
add my-id=key-id:LAB35 peer=FGT remote-id=key-id:FGT-LAB35
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.99.2/32 peer=LAB36 proposal=LAB36 src-address=192.168.99.1/32 tunnel=yes
add dst-address=192.168.99.3/32 group=LAB3532 proposal=LAB3532 src-address=192.168.99.1/32 template=yes
add dst-address=192.168.99.5/32 peer=FGT proposal=FGT protocol=gre src-address=192.168.99.1/32 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=192.168.36.16/28 gateway=GRE-LAB36 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.99.2/32 gateway=loopback pref-src=192.168.35.30 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.37.17 pref-src=192.168.37.18 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.36.0/28 gateway=GRE-LAB36 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.35.32/28 gateway=GRE-LAB3532 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.35.48/28 gateway=GRE-LAB3532 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.99.3/32 gateway=loopback pref-src=192.168.35.30 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.25.0/24 gateway=GRE-FGT routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.99.5/32 gateway=loopback pref-src=192.168.35.30 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system identity
set name=LAB35RT14
Fortigate:
config system interface
edit "LAB35"
set vdom "root"
set ip 192.168.99.5 255.255.255.255
set allowaccess ping
set type tunnel
set snmp-index 43
set interface "NNET25-DMZ3700"
next
edit "GRE-LAB35"
set vdom "root"
set ip 10.0.0.13 255.255.255.255
set type tunnel
set remote-ip 10.0.0.14 255.255.255.252
set snmp-index 44
set interface "LAB35"
next
end
config firewall address
edit "gre_NNET25-LAB35"
set uuid a8726b3c-caab-51ed-b37f-ef06261e435b
set subnet 192.168.99.5 255.255.255.255
next
edit "gre_LAB35-NNET25"
set uuid bdb93fac-caab-51ed-883a-ccec684a7904
set subnet 192.168.99.1 255.255.255.255
next
edit "net_LAB3500"
set uuid 559ec1a2-caac-51ed-f0aa-98148f51bb5e
set subnet 192.168.35.0 255.255.255.240
next
edit "net_LAB3516"
set uuid 70dd4d26-caac-51ed-d891-791f13606fb9
set subnet 192.168.35.16 255.255.255.240
next
end
config vpn ipsec phase1-interface
edit "LAB35"
set type dynamic
set interface "NNET25-DMZ3700"
set ike-version 2
set keylife 28800
set peertype one
set proposal aes256-sha512
set localid "FGT-LAB35"
set dpd on-idle
set dhgrp 18
set nattraversal disable
set peerid "LAB35"
set psksecret ENC rf4vTE6DTYaWNmdZgEHKwKk28jaDB/4eYFBtBGK3L7ZHHeXap358GfkX0LwlbqVOvUheo3MK+PHS0y+TIgAnypmmf7ZvsXWH9mPEDnRVJ/LiGzRCTM12VL5ZoWajBWlY+ued4r4q0udAKjjH+1UGz4s9rMQ4VmH/6NmygqQovauGM9GLVNZ3Tfz7eO9Rvc8LHDWmaA==
set dpd-retryinterval 5
next
end
config vpn ipsec phase2-interface
edit "LAB35"
set phase1name "LAB35"
set proposal aes256-sha512
set dhgrp 18
set protocol 47
set keylifeseconds 1800
set src-subnet 192.168.99.5 255.255.255.255
set dst-subnet 192.168.99.1 255.255.255.255
next
end
config system gre-tunnel
edit "GRE-LAB35"
set interface "LAB35"
set remote-gw 192.168.99.1
set local-gw 192.168.99.5
next
end
config firewall policy
edit 218
set uuid 88026fa2-ca86-51ed-10fc-11575113c9a0
set srcintf "GRE-LAB35"
set dstintf "internal-switch"
set srcaddr "net_LAB3500" "net_LAB3516"
set dstaddr "net_NNETVIE15-LAN"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
edit 219
set uuid 99aa87ee-ca86-51ed-f887-f44e84d4a49d
set srcintf "internal-switch"
set dstintf "GRE-LAB35"
set srcaddr "net_NNETVIE15-LAN"
set dstaddr "net_LAB3500" "net_LAB3516"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
next
edit 224
set uuid e26475e2-caab-51ed-08da-2d03155827b6
set srcintf "LAB35"
set dstintf "GRE-LAB35"
set srcaddr "gre_LAB35-NNET25"
set dstaddr "gre_NNET25-LAB35"
set action accept
set schedule "always"
set service "GRE"
set logtraffic all
set fsso disable
set comments "Reverse of 221"
next
end
hi.
well, i am really way too old to read such very long config 
heheh… i am sorry , so i could only read partially.
in the fortigate side, could be this being the issue the Mt can’t initiate connection?
set nattraversal disable
esp ah should have nat traversal enable for the connection to be established from the peers.
I’ve enabled nat-t now on both sides but still no luck, unfortunately.
Do I need any route on the Mikrotik side for 192.168.99.5/32 to go into the tunnel? Do I need a srcnat allow rule on the MT side?
I have a feeling that I’m missing something on the MT side and I wasn’t able to pinpoint it. Not even using the packet sniffer extensively… 
hi @azzurro
Do I need any route on the Mikrotik side for 192.168.99.5/32 to go into the tunnel? Do I need a srcnat allow rule on the MT side?
like i said previously,
show us your tunnels are up. and that they both have installed routes for both remote ends.
if both devices have their tunnels up but no traffic go inside the tunnels, then the problem lies within upper layer ie.
ip route print.
ip firewall filter print.
traceroute. from between end point. not between the router to see that split tunneling.
but please, make those output short will you?
if you performed port address translation aka masquerade, you should allow nat traversal for ip protocol 50, 51, udp 500 and 4500, and gre 47 to pass through the firewall. unaltered. prerouting. accept.
and, don’t forget to see your ipsec log.
Wireshark is good, but not necessary.
good luck 