Hello Pro’s,
i have a HQ Fortigate with public static ip L2TP/IPSec PSK with User/Password Auth (MSCHAP2) .. running.. on Android, Windows, Linux, MacOS .. the L2TP Client Connection works fine without any complicated Configuration, even behind NAT.
On that Forti there are also other direct IPSec connections.. so my brain struggle is..
i want to connect a Remote Office over that connection (Routing from that BR into the HQ office would be ok, so no Bridge,.. required), but it’s behind NAT .. and i cant touch that ISP’s Router.
I got the L2TP Connection Running and Connecting.. but where i struggle is the IPSEC Connection… and then probably the Routing.
.. has someone realised such thing?, can someone give me some little hints?
.. i have resolved my issue …
… was on old firmware (3.02) and RouterOS 6.20 ..
upgraded to 3.20,6.40RC19 .. and then i could activate the higher (FGT supported) Proposals.
i also got access to the HQ Router so i could create an IPSEC/IKE2 Tunnel with NAT, which is in my opinion more stable.
FG80C-HQ (phase1-interface) # show
config vpn ipsec phase1-interface
edit “BRO-IPSEC”
set type dynamic
set interface “wan1”
set ike-version 2
set mode-cfg enable
set ipv4-dns-server1 10.0.0.254
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dhgrp 15 14 5
set ipv4-start-ip 192.168.77.1
set ipv4-end-ip 192.168.77.254
set ipv4-netmask 255.255.255.0
set ipv4-split-include “HQ_LAN” //10.0.0.0/16
set psksecret ENC SUPERSECRET
next
end
FG80C-HQ # config vpn ipsec phase2-interface
FG80C-HQ (phase2-interface) # show
config vpn ipsec phase2-interface
edit “BRO-IPSEC_0”
set phase1name “BRO-IPSEC”
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set dhgrp 15 14 5
set keylifeseconds 3600
next
end
FG80C-HQ # config firewall policy
edit 45
set uuid SOMEUUID
set srcintf “BRO-IPSEC”
set dstintf “internal1”
set srcaddr “BRO-IPSEC_range” // 192.168.77.1-192.168.77.254
set dstaddr “HQ_LAN”
set action accept
set schedule “always”
set service “ALL”
set nat enable
next
here is my config when you have a forti as main office router.. and a mikrotik as a branch office router. This is a draft.. it may have bugs or Typos, so no warranties. Always use the same Crypto Settings.
config system interface
edit ["IPSEC-TUNNEL-1"]
set vdom "root"
set type tunnel
set snmp-index [4]
set interface ["wan1"]
next
end
config firewall address
edit ["IPSEC-TUNNEL-RANGE-1"]
set type iprange
set comment ["VPN: IPSEC-TUNNEL-1"]
set start-ip [192.168.XX.1]
set end-ip [192.168.XX.254]
next
end
config vpn ipsec phase1-interface
edit "IPSEC-TUNNEL-1"
set type dynamic
set interface "wan1"
set keylife 28800
set mode aggressive
set peertype one
set mode-cfg enable
set ipv4-dns-server1 [10.0.0.254]
set ipv6-dns-server1 [2001:x:x:x:10:0:0:254]
set proposal aes256-sha256
set dpd disable
set dhgrp 21
set peerid ["TUNNELNAME.domain.tld"]
set ipv4-start-ip [192.168.XX.1]
set ipv4-end-ip [192.168.XX.254]
set ipv4-netmask [255.255.255.0]
set ipv4-split-include ["LOCAL_LAN"]
set unity-support disable
set psksecret ENC [*SECRET*]
next
end
config vpn ipsec phase2-interface
edit ["IPSEC-TUNNEL-1"]
set phase1name ["IPSEC-TUNNEL-1"]
set proposal aes256-sha256
set dhgrp 21
set keepalive enable
set keylifeseconds 14440
next
end
config firewall policy
edit 45
set srcintf ["IPSEC-TUNNEL-1"]
set dstintf ["internal1"]
set srcaddr ["IPSEC-TUNNEL-RANGE-1"]
set dstaddr ["LOCAL_LAN"]
set action accept
set schedule "always"
set service "ALL"
set tcp-mss-sender 1300
set tcp-mss-receiver 1300
set nat enable
next
edit 47
set srcintf ["internal1"]
set dstintf ["IPSEC-TUNNEL-1"]
set srcaddr ["LOCAL_LAN"]
set dstaddr ["IPSEC-TUNNEL-RANGE-1"]
set action accept
set schedule "always"
set service "ALL"
set tcp-mss-sender 1300
set tcp-mss-receiver 1300
next
end
Mikrotik full config: BRANCH LAN = 192.168.88.1
# sep/11/2017 16:59:16 by RouterOS 6.37.5
# software id = EV6S-BPUX
#
/interface bridge
add admin-mac=[XX:XX:...] auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=austria disabled=no distance=indoors frequency=auto mode=\
ap-bridge ssid=oelbrgap wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
wpa-pre-shared-key=*SECRET* wpa2-pre-shared-key=*SECRET*
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=4h
/ip pool
add name=dhcp ranges=[192.168.XX.10-192.168.XX.254]
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/port
set 1 name=usb2
/interface ppp-client
#if you have a HSDPA, LTE ,.. USB Modem connected
add apn=[APN] disabled=no info-channel=3 name=ppp-out1 port=\
usb2 user=ppp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=[192.168.XX.1/24] comment=defconf interface=ether2-master network=\
[192.168.XX.0]
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=[192.168.XX.0/24] comment=defconf gateway=[192.168.XX.1]
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=[192.168.XX.1] name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=drop chain=input in-interface=ppp-out1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall mangle
add action=change-mss chain=forward dst-address=[10.0.0.0]/16 new-mss=1300 \
passthrough=no protocol=tcp src-address=[192.168.XX.1]/24 tcp-flags=syn \
tcp-mss=!0-1300
/ip firewall nat
add action=accept chain=srcnat dst-address=[10.0.0.0]/16 src-address=\
[192.168.XX.0]/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
add action=masquerade chain=srcnat out-interface=ppp-out1
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=[Fortigate-WAN-IP]32 enc-algorithm=aes-256 exchange-mode=aggressive \
lifetime=8h local-address=0.0.0.0 my-id=fqdn:["TUNNELNAME.domain.tld"] \
proposal-check=strict secret=*SECRET*
/ip ipsec policy
set 0 dst-address=::/128 src-address=::/128
add dst-address=[10.0.0.0]/16 sa-dst-address=[FORTI-IP] sa-src-address=\
0.0.0.0 src-address=[192.168.XX.0]/24 tunnel=yes
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master\
,ether7,ether8,ether9,ether10"
/system clock
set time-zone-name=Europe/Vienna
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
[admin@MikroTik] >