ROS 6.38.5 and client to site ike+xauth VPN to Fortigate router

xander · April 1, 2017, 4:54am

Hi! I’ve been seeing a lot of IKE & IPsec updates recently in the ROS changelogs, and from what I was seeing, it seems there’s better support now for IPsec w/ XAUTH authentication as a client on the Mikrotik?

I currently have a VPN Client (client to site) connection using IKEC/IKED on Linux, and would rather set it up in my Mikrotik HEX router.

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:1
n:client-wins-auto:1
n:phase1-dhgroup:5
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
s:network-host:111.222.111.222 (redacted)
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:keyid
s:ident-server-type:any
b:auth-mutual-psk:xxxxxxxxxxxxxxxxxxxxxxx(redacted)
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
s:phase2-transform:auto
s:phase2-hmac:auto
s:ipcomp-transform:disabled
n:phase2-pfsgroup:5
s:policy-level:auto
s:policy-list-include:10.0.0.0 / 255.0.0.0

What I have set in Winbox:
IP->IPSec, Peers, added a peer:
address: 111.222.111.222
Auth Method: pre shared key xauth
exchange method: aggressive (the Fortigate is set to aggressive as well)
Secret: (same psk as on fortigate)
Xauth: myuser
Xauth password: mypassword

… and I’m stuck at this point. Not sure what I should set as IPsec policy since the remote Fortigate is supposed to randomly assign an IPaddress for IPsec “Dial Up” users. In the Fortigate logs, I get a “peer SA proposal not match local policy”, obviously because I only created an IPSec peer, and no IPsec Policy on the Mikrotik… just not sure how to create a policy when there’s no routed subnet… the remote router is supposed to send me a dynamic IP in phase 2 (on the fortigate, the phase 2 policy is set as 0.0.0.0/0 to 0.0.0.0/0 assign client IP pool 10.10.100.20-10.10.100.200.

xander · April 1, 2017, 10:54pm

After testing a few things, I finally managed to establish phase2 and a successful client VPN connection to the Fortigate dial-up user VPN.

I wasn’t able to get a dynamic IP be assigned to the Mikrotik like the IKEC/IKED Linux service does, so I took an available IP address unlikely to ever be assigned to anyone connecting to this company’s Fortigate, and set it as a secondary static IP on the WAN interface (ether1).

I then set up the IPsec Phase2 (policy) on the Mikrotik to use this private static IP as a source address, and the remote address as shown in the IKEC configuration file mentionned above, and on the second tab, my actual public IP address and the remote IP address of the Fortigate as peer addresses, and checked the box for tunneling.

The VPN connection immediately went up, and I was able to ping the remote network from the Mikrotik CLI, but not from any of the Mikrotik LAN-side stations, so I set a NAT rule for all traffic originating from my local subnet towards the remote subnet, to masquerade using the private VPN IP I set on ether1, and now the local network has access to the remote network.

xinweb75 · October 2, 2017, 9:57am

you can send me how you do it?