I am configuring a VPN setup with a Fortigate firewall as the hub (With dynamic DNS) and several Mikrotik mAP’s as spokes. (DialUp)
Spokes are configured with subnet 172.28.10.0/24, 172.28.11.0/24 and so on.
LAN on the Fortigate is 192.168.50.0/24
mAP’s 172.28.x.1
VPN tunnels are up and running, and I am able to ping 172.28.11.0/24 and 192.168.50.0/24 from 172.28.10.0/24 and vice versa.
BUT I am not able to reach the mAP from the local LAN.(Unless I use winbox and the MAC address of the mAP)
172.28.10.50 is not able to ping 172.28.10.1. 172.28.11.50 is not able to ping 172.28.11.1 and so on.
To make the solution flexible and easy to expand without having to change config on all mAP’s when I add a new site I have this config. (Example from 172.28.10.1)
it works between 172.28.10,0/24, 172.28.11.0/24 and 192.168.50.0/24. And I am able to reach the mAp from the LAN.
So I guess I must add some kind of routing or exception to make it work with dst-address=172.28.0.0/16.
And btw: Is it possible to skip the policy for 192.168.50.0 and solve it with routing instead?
Thank you very much! Now it works within the 172.28.0.0./16 net as I wanted it to
Now I have two tunnels instead of one for each spoke.
But I will probably only need one tunnel if I am able to route all request to/from 192.168.50.0/24 over the 172.28.0.0/16 tunnel.
Would make my day if you could help me with this problem as well.
It is probably basic, but I am not very familiar with the routing options on the Mikrotik yet
Mikrotik only implements bare IPsec with policies and traffic selectors, so you must have a separate policy for each dst-address (192.168.50.0/24 and 172.28.0.0/16). Whether one or two pairs of SAs will actually be negotiated depends on the level parameter of the policy - if it is set to require, a single pair of SAs may be sufficient if the peer (Fortigate in your case) supports that. But bandwidth-wise, there is no difference whether you use a dedicated pair of SAs for each policy or whether the two policies share the same pair.
Mikrotik does not support IPsec VTI, so if you want to use “normal” routing instead of traffic selectors, the only possibility is to use GRE-over-IPSec, IPencap-over-IPsec, or L2TP-over-IPsec if Fortigate supports that.
I just thought I would quickly point something out…
In this line:
/ip ipsec policy add dst-address=172.28.0.0/16 peer=VPN_PMR_Nettet proposal=“IKEv1 Proposal” src-address=172.28.10.0/24 tunnel=yes
You list TWO subnets:
172.28.0.0/16
172.28.10.0/24
The first subnet is from IP 172.28.0.1 → 172.28.15.255
The second subnet is contained within the first subnet; therefore, you can’t tunnel between them.
Your solution of making the first subnet a /24 solves the problem.
I will just leave it as it is then.