IP sec traffic goes out but wont recive any packets

RouterOS General
1

Hi all
I am new to Microtik
Please help me. I am on the verge of givving up on microtik

I have ip sec connection set up with fortigate
the tunnel is up
and running but when I am sending traffic from microtik to fortigate I can see the packets going out from fortigate ipsec interface but 0 recived packets from microtik side

I am doing NAT on both sides
I have added a SNAT in microtik to translate local ip adress to transitinal 192.168.X.Y to 10.10.x,X and added route in microtik to forward all trafic to 10.10.x.X to 10.10.5.4(ipsec vpn interface ip on fortigate side) now I am reciveing the packets on fortigate side and I can see the answering packets going out of fortigate side but nothing in microtik

DO i have to add some type of rule in firewall or do dnat to work this out or what also as far as I know there is no ipsec interface in microtic so how can I set ip address on ipsec in microtic
I am really new in microtik so please be patient with me I am ready to learn and read
I have searched the posts but didn’t find one describing my case

I am trying to sniff packets in microtic but to no avail I cant seem to find the traffic coming from fortigate
Capture1.JPG
Capture2.JPG
Capture3.JPG
Capture.JPG
Untitled.jpg

2

I was getting reply ignored so I tryed to change the ipsec ike v2 to v1 and it solved the problem of reply ignored log but the traffic is still onesided

3

It’s not so crazy, there is no need to give up mikrotik :slight_smile: I have created ipSec connections for mikrotik-Fortigate and everything works correctly.

  1. MT tunnel can’t work correctly for you, because the firewall entries on the mikrotik end are in a complete mix. The flow of traffic packets will not be correct. All this also affects safety! Fix the firewall. I will try to copy you an example.
    Masquarade fixes…Leave only out interface=WAN. We only use address-lists. In the NAT section, you can fix the roll above Masquarade.
    src-nat= src address(subnet x.x.x.x/24) and dst-address (x.x.x.x/24)
  2. On the Fortigate side, check whether you have the correct Phase 1 and whether the DH-gorup matches the Mikrotik side. Also check Phase-2.
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input src-address-list=Local-LAN comment="Config Access"
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
    protocol=ipsec-esp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Access Internet From LAN" \
    in-interface-list=LAN out-interface-list=WAN
	add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \
    src-address-list=VPN
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

ipsec.JPG
forti.jpg

4

I have configures the settings as you have only used more strict security SHA256 and AES 256 but without PFS
the tunnel is up but the traffic is one-sided

I can send the souprt.rif
rep2.JPG
rep3.JPG
rep1.JPG

5

the trafic is going out of the microtic but not comming back

6

ok, use stronger encrypt. It is everyone’s personal business.
But I would recommend starting with the mikrotik side. If you get the mix right, I think you will get the result
I already wrote that there is a mix on the mikrotik side. To be more precise, you are missing rules that ensure normal traffic operation. Read carefully and take a look at my firewall example.
INPUT CHAIN → To the Router or to Router Services. Directional flow is WAN to Router, and LAN to Router.
FORWARD CHAIN → Through the Router. Direction flow is LAN to LAN, LAN to WAN, WAN to LAN.
OUTPUT CHAIN → From the Router. Directional flow is Router to WAN.

Both input Chain and forward chain end roll are specified as drop=All. It will be correct. You don’t have these rules. The rules are executed from top to bottom and their order also matters.

7

thank you very much
let me try
and can you tell me how to modify and delete a picture for example from the post

8

so should I have my Polices in the exact order that you written?

9

take the edit post and under “attachments” you will see the option “add” or delete.
att.jpg

10

Yes, it would be desirable. In general, we always take the ``default’’ firewall as the basis for everything and then supplement it with the entries we need. That’s exactly what I have. Of course, look for yourself and fix what you have WAN, what you have LAN…vpn and the rest.

11

thank you I wasn’t seeing it at first
I had to add another picture to see the attechment part

12

good luck :slight_smile:

13

Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; to INET
chain=forward action=accept src-address=192.168.10.0/24
in-interface-list=LAN out-interface-list=WAN log=no log-prefix=“”

2 ;;; FOR Established connections
chain=input action=accept connection-state=established,related,untracked
log=no log-prefix=“”

3 ;;; FOR Established connections
chain=forward action=accept
connection-state=established,related,untracked log=no log-prefix=“”

4 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

5 ;;; allow dst-nat from both WAN and LAN (including port forwarding)
chain=forward action=accept connection-nat-state=dstnat

6 ;;; for IP SEC
chain=input action=accept protocol=icmp src-address-list=AMX
in-interface-list=WAN log=no log-prefix=“”

7 ;;; IKE IPSec
chain=input action=accept protocol=ipsec-esp in-interface-list=WAN

8 ;;; L2TP
chain=input action=accept protocol=udp in-interface-list=WAN
dst-port=500,1701,4500

9 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

10 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

11 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related

12 ;;; Config Access
chain=input action=accept src-address=192.168.10.0/24 log=no
log-prefix=“”

13 ;;; for IP SEC UDP
chain=input action=accept protocol=udp src-address-list=AMX
in-interface-list=WAN dst-port=500 log=yes log-prefix=“”

14 ;;; for IP SEC TCP IKEV2
chain=input action=accept protocol=tcp src-address-list=AMX
in-interface-list=WAN dst-port=4500 log=no log-prefix=“”

15 chain=forward action=accept src-address=192.168.10.18
dst-address=10.245.0.11 in-interface-list=LAN log=no log-prefix=“”

16 chain=forward action=accept src-address=10.245.0.11
dst-address=192.168.10.18 log=no log-prefix=“”

17 ;;; INVALID
chain=forward action=drop connection-state=invalid
connection-nat-state=“” in-interface-list=WAN log=no log-prefix=“”

18 ;;; INVALID
chain=input action=drop connection-state=invalid connection-nat-state=“”
in-interface-list=WAN log=no log-prefix=“”

19 ;;; INVALID
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=“”

20 ;;; VPN
chain=forward action=accept src-address-list=VPN
dst-address-list=Local-LAN

21 ;;; drop all else
chain=forward action=drop

14

it is still onesided what am I doing wrong

15

Question - why does your firewall start with -
1 to INET
chain=forward action=accept src-address=192.168.10.0/24
in-interface-list=LAN out-interface-list=WAN log=no log-prefix=“”
In my example, which is safe to use , the order is completely different. You have thrown away the records. I gave you a ready-made example that you can use. I also have the same configuration. Everything works perfectly.
I can’t do everything 100% for you, so try to slowly go through the configuration that I copied. Look at both ends what happens with the ipSec profile, Proposals. I think you haven’t looked at them.
Recommendation to use address-list. Have you defined your existing IP addresses correctly?
If you use address-list, you will no longer need to write IP addresses with numbers in the firewall itself. You will specify only LAN, WAN, etc. It will be much more correct. You have to go through the whole configuration. Just changing the firewall rules “copy-paste” probably won’t change anything.
Have you looked at the NAT section? Probably not..
Example:

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=bridge2 list=LAN2
/ip firewall address-list
add address=192.168.1.0/24 list=Local-LAN
add address=192.168.2.0/24 list=Guest
add address=192.168.3.240-192.168.3.245 list=VPN
16

Question - why does your firewall start with -
1 to INET

I am working remote with anydesk to this device

chain=forward action=accept src-address=192.168.10.0/24
in-interface-list=LAN out-interface-list=WAN log=no log-prefix=“”
In my example, which is safe to use , the order is completely different. You have thrown away the records. I gave you a ready-made example that you can use. I also have the same configuration. Everything works perfectly.

ok I will retry it with exact copy past

I can’t do everything 100% for you, so try to slowly go through the configuration that I copied. Look at both ends what happens with the ipSec profile, Proposals. I think you haven’t looked at them.

no I copyed them tell me me I if i Miss anything but other then the difference in sha and aes the rest is the same I even took out the PFS I also tryed with ikve V1 and V2

Recommendation to use address-list. Have you defined your existing IP addresses correctly?

no but I will use it to avoid making human mistakes

If you use address-list, you will no longer need to write IP addresses with numbers in the firewall itself. You will specify only LAN, WAN, etc. It will be much more correct. You have to go through the whole configuration. Just changing the firewall rules “copy-paste” probably won’t change anything.

Have you looked at the NAT section? Probably not..

I am have the src nat working but I dont know if need dnat also I will try what you were telling in your first post


Example:

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=bridge2 list=LAN2
/ip firewall address-list
add address=192.168.1.0/24 list=Local-LAN
add address=192.168.2.0/24 list=Guest
add address=192.168.3.240-192.168.3.245 list=VPN

[/quote]

17

for more information - https://getlabsdone.com/how-to-setup-an-ipsec-site-to-site-vpn-between-mikrotik-and-fortigate/

18

Thank you all . my configuration was right the problem was that in between the devices another company was sitting (security) and filtering traffic I am closing the case
and as END result is this
IT works with IKE V2 even without ay router filter You just need to set the NATs right and set the subnet for the ip sec right

19

johnson73 thank you very much for the time and patience and the effort that you put forward for me