I feel like this one is just me missing something incredibly simple, but my noodle seems cooked enough that I need a fresh set of eyes. The situation is that we have an IPSec S2S tunnel from a local Mikrotik (192.168.2.0/24) to a remote Fortigate (192.168.1.0/24). They’re routing over public IP, using ESP to transfer packets, IKEv2, nothing too fancy. The tunnel comes up just fine, and both SA’s get established on each end. What’s killing me here is that on the Fortigate end, I’m seeing packets arrive and depart on their respective SA’s just fine, but on the Mikrotik end, I’m just seeing packets going out, nothing arriving at the Fortigate->MikroTik SA. I can see the Fortigate’s IPSec traffic arriving just fine on the Packet Sniffer, so I know they’re making it as far as the Mikrotik itself, but something is breaking during or shortly after decryption, and I’d appreciate any insight my colleagues here can lend.
For config on the Mikrotik end we have:
/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment="Used to avoid NAT on packets going over the IPSec tunnel" dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=s2s-profile
/ip ipsec peer
add address=XXX.XXXX.XXX.66/32 exchange-mode=ike2 name=s2s-peer profile=s2s-profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d name=s2s-proposal pfs-group=modp2048
/ip ipsec identity
add peer=s2s-peer secret="**********"
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.1.0/24 peer=s2s-peer proposal=s2s-proposal src-address=192.168.2.0/24 tunnel=yes
As I said, this is almost a textbook example of an S2S VPN, and I’m positive I’m missing something simple, but I’ve been staring at it too long. Any ideas are greatly appreciated.
