IPsec from NAT

gedO · February 21, 2015, 11:30am

Hello,
I want to create VPN connection using IPsec for two networks and one end is behind NAT like shown in picture

Device B is connecting to device A for IPsec tunneling. Device B is MikroTik RB750, OS version 6.27. Device A is FortiGate 60D. In MikroTik side log says:

phase1 negotiation failed due to send error. Y.Y.Y.Y:[500] <=> X.X.X.X[500] RANDOM NUMBERS: 0000000000000000

In FortiGate side log says that

request is on the queue

and

using existing connection

Can someone say what is wrong? In IPsec configuration NAT-T is enabled on both sides

troffasky · February 21, 2015, 3:28pm

I have a remote site with similar setup [Sonicwall at the other end tho, not Fortigate] and it works fine. Are you using aggressive mode?

gedO · February 21, 2015, 4:17pm

No, I’m using main mode. How Aggressive mode influence that?

troffasky · February 22, 2015, 10:45am

I don’t know the technical details, but I’ve only ever got site-to-site IPsec tunnels working from behind NAT if aggressive mode is used. Actually it occurs to me that whenver I have to IPsec from behind NAT, the IP is dynamic as well, and that’s why aggressive mode is used. Sorry for the slight bit of misinformation there!

gedO · February 23, 2015, 8:28am

I have found my problem. ISP device blocks IPsec traffic to my server side (device A).