IPSec to Fortigate 100A

me1100 · May 28, 2014, 10:24pm

I am trying to set up an IPSec VPN to a Fortigate 100A, in preparation to eventually replace our routers with Mikrotik routers, but I cannot seem to get the VPN to work right.

The problem I am experiencing now is that I see the SAs installed on the Mikrotik, I see the tunnel is up on the Fortigate, but I cannot pass traffic through the Mikrotik.

10.202.208.0/24 <—> 10.202.208.1 (Fortigate) 1.1.1.1 <—> Internet <—> 2.2.2.2 (Mikrotik) 10.200.7.1 <—> 10.200.7.0/24

When I ping from 10.202.208.2 to 10.200.7.2, the packets do not make it to 10.200.7.2. I do see them coming through the Mikrotik, passing through the following:

Mangle Prerouting ESP
Mangle Input ESP
Firewall Input ESP
Mangle Prerouting ICMP
NAT Dstnat ICMP

and that is it – just to be clear, it does NOT go through Mangle or Filter Forward tables.

When I ping from 10.202.208.2 to 10.200.7.1 (the Mikrotik itself), it does work, and the packets go through:

Mangle Prerouting ESP
Mangle Input ESP
Firewall Input ESP
Mangle Prerouting ICMP
Mangle Input ICMP
Firewall Input ICMP
And similarly for the outbound reply

Any ideas? I’ve been banging my head against the wall on this one!

Here is my ipsec configuration: (Let me know if something else is needed)

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add auth-algorithms=md5 enc-algorithms=3des name=MD5-3DES-DH5-30min pfs-group=modp1536
add enc-algorithms=aes-256-cbc name=SHA1-AES256-DH5-30min pfs-group=modp1536

/ip ipsec peer
add address=89.167.208.4/32 dh-group=modp1536 enc-algorithm=aes-256 lifetime=
8h local-address=71.81.149.75 policy-group=default secret=“testing123”

/ip ipsec policy
add dst-address=10.202.208.0/24 proposal=SHA1-AES256-DH5-30min
sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=
10.200.7.0/24 tunnel=yes
add dst-address=10.200.7.0/24 proposal=SHA1-AES256-DH5-30min sa-dst-address=
2.2.2.2 sa-src-address=1.1.1.1 src-address=10.202.208.0/24
tunnel=yes

Any ideas? I’ve been banging my head against this for a long time!

nz_monkey · May 29, 2014, 11:18am

Have you specified the proxy-id’s on the phase2 on the Fortigate?

You will need a single Phase1 and two Phase2 on the Fortigate. You will need a separate Phase2 with proxy-id set for each subnet. (Using address lists/groups does not work)

me1100 · May 29, 2014, 6:29pm

I guess I should have posted my Fortigate settings here too, but I want to make it clear: the packets make it all the way from the host behind the Fortigate to the Mikrotik but, when it would go to the LAN behind the Mikrotik, they then disappear without a clue, somewhere after destination-nat but before mangle forward or mangle output. If that same host behind the Fortigate pings the Mikrotik’s LAN address, it works.

I suspecting it has something to do with “routing decision” but the destination IP address at that time is already the LAN address and therefore should go to the Forward queue.

On the fortigate, I normally create one phase 2 tunnel per IP Address combination, not two. What would I have in the second tunnel? I have NOT needed to create both directions on the Fortigate for all my other (>100) VPNs, so I’m not sure why I would want to here.

I do not see a proxy-id for phase2-interface on the fortigate.

Here are my Fortigate settings:

# show vpn ipsec phase1-interface SBN2
config vpn ipsec phase1-interface
    edit "SBN2"
        set interface "PE-S2S"
        set local-gw 1.1.1.1
        set dpd enable
        set nattraversal enable
        set proposal aes256-sha1
        set remote-gw 2.2.2.2
        set psksecret ENC something secret!
        set keepalive 120
    next
end
# show vpn ipsec phase2-interface SBN2-10.202.208.0/24 
config vpn ipsec phase2-interface
    edit "SBN2-10.202.208.0/24"
        set pfs enable
        set phase1name "SBN2"
        set proposal aes256-sha1
        set replay enable
        set dst-subnet 10.200.7.0 255.255.255.0
        set src-subnet 10.202.208.0 255.255.255.0
    next
end

Here are syslog entries from firewall “log” rules for when it fails:

May 28 16:44:30 sbn-vpn firewall,info MPR:la-sbn prerouting: in:ether1-gateway out:(none), src-mac 00:01:5c:68:4a:46, proto 50, 1.1.1.1->2.2.2.2, len 152
May 28 16:44:30 sbn-vpn firewall,info DN:la-sbn dstnat: in:ether1-gateway out:(none), src-mac 00:01:5c:68:4a:46, proto 50, 1.1.1.1->2.2.2.2, len 152
May 28 16:44:30 sbn-vpn firewall,info MI:la-sbn input: in:ether1-gateway out:(none), src-mac 00:01:5c:68:4a:46, proto 50, 1.1.1.1->2.2.2.2, len 152
May 28 16:44:30 sbn-vpn firewall,info FI:la-sbn input: in:ether1-gateway out:(none), src-mac 00:01:5c:68:4a:46, proto 50, 1.1.1.1->2.2.2.2, len 152
May 28 16:44:30 sbn-vpn firewall,info MPR:LA-SBN prerouting: in:ether1-gateway out:(none), src-mac 00:01:5c:68:4a:46, proto ICMP (type 8, code 0), 10.202.208.2->10.200.7.2, len 84
May 28 16:44:30 sbn-vpn firewall,info DN:LA-SBN dstnat: in:ether1-gateway out:(none), src-mac 00:01:5c:68:4a:46, proto ICMP (type 8, code 0), 10.202.208.2->10.200.7.2, len 84

MPR=Mangle Prerouting, DN=NAT dst-nat, MI=Mangle Input, FI=Filter Input. I also have set up MO for Mangle output, MF for Mangle Forward, FF for Filter Forward, FO for Filter output and SN for NAT src-nat so that I covered all possible paths.

me1100 · June 14, 2014, 3:35pm

I figured this out. It was rather simple (which is what I thought): I must NOT put in a reverse policy (sorry nz_monkey – you told me and I didn’t see it).

Oh, nz_monkey – I’m using the fortigate’s ipsec interface method, so I only need one policy on the fortigate side as well.