Porting fortinet/racoon vpn to RouterOS

davorin · March 16, 2019, 1:18pm

Good afternoon

I tried yesterday quickly to enter the vpn credentials I got from the fortinet/racoon vpn client whioch connects to our company…
but somehow configuration caused to shut me off from the LAN side then.

From the client I have:

username
password
psk

So far good for xauth…and the rest looks like:

remote x.x.x.251 {
doi ipsec_doi;
situation identity_only;
exchange_mode aggressive;
verify_identifier off;
nonce_size 16;
dpd_delay 20;
dpd_retry 5;
dpd_maxfail 3;
initial_contact on;
support_mip6 on;
proposal_check obey;
verify_cert on;
mode_cfg on;
nat_traversal on;
my_identifier keyid tag "customer";
proposal {
    authentication_method xauth_psk_client;
    hash_algorithm sha1;
    encryption_algorithm aes128;
    lifetime time 86400 sec;
    dh_group 5;
}
proposal {
    authentication_method xauth_psk_client;
    hash_algorithm sha256;
    encryption_algorithm aes256;
    lifetime time 86400 sec;
    dh_group 5;
}
}
sainfo anonymous
{
    pfs_group 5;
    lifetime time 43200 sec;
    encryption_algorithm 3des, aes 128, aes 192, aes 256;
    authentication_algorithm hmac_sha1, hmac_sha2_256, hmac_sha2_384, hmac_sha2_512;
    compression_algorithm deflate ;
}

Peer and profile settings didn’t cause any trouble…
but as soon I tried to port the policy the router was inaccessible anymore…

davorin · March 16, 2019, 2:24pm

Hmm…ipsec can be established easily…well so it says in the policy tab (o;

But of course nothing is reachable…as soon I enter 0/0 as either src or dst address the routerboard isn’t accessible anymore…
Current configuration:

# mar/16/2019 14:13:11 by RouterOS 6.42.12
# software id = LYB8-T6VN
#
# model = RouterBOARD 750G r3
# serial number = xxxxxxxxx
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=MyProposal \
    pfs-group=modp1536
/ip ipsec peer
add address=x.x.x.251/32 auth-method=pre-shared-key-xauth dh-group=modp1536 dpd-interval=20s \
    enc-algorithm=aes-128 exchange-mode=aggressive my-id=key-id:cus_obl secret="OurPSK" xauth-login=\
    firstname.lastname xauth-password="myPassword"
/ip ipsec policy
add dst-address=10.1.0.0/16 proposal=MyProposal sa-dst-address=x.x.x.251 sa-src-address=y.y.y.31 \
    src-address=192.168.88.0/24 tunnel=yes

anav · March 16, 2019, 3:40pm

I wish I had a cool reply like… yeah you need to download the Mikrotik “wolverine” ipsec module to connect to the Juniper raccoon vpn".
(Hint, MT you need sexier names for things)

davorin · March 16, 2019, 4:49pm

Hmm…wasn’t aware Fortinet belongs to Juniper…anyway…
Found a blog site where someone describes how to connect to it…though with access to it.

But talks about adding NAT rules…maybe it is this what is missing as the racoon client works from a single host.