Hello,
I need help with a problem. I have a MikroTik connected to a Forti via IPSec. This connection works fine. Now I also have an SSL/PN for my users on the Forti. What I've been trying to do is route the SSL/PN to the MikroTik subnet.
Let me briefly explain what I have now.
On the Forti: Police SSL/PN-> MK
The connection has been established, but users connected via the VPN cannot access the MikroTik resources.
Thanks in advance.
Sorry to bother you again, @holvoetn , but would you mind moving the topic to Beginner Basics or General?
@sop.elemento The export of the Mikrotik configuration would be needed:
/export file=anynameyouwish (minus sensitive info like serial number, public IPs, passwords, etc.)
While you're at it, you can check whether the policy on Mikrotik side is set to level=unique
voljka
August 19, 2025, 7:48pm
4
FYI: SSL VPN on FortiGate are deprecated and in latest version fully removed. So may me you need to think about removing SSL VPN first.
Voljka,
TheCat12,
Any comments or suggestions would really help.
Are you sure you attached the config?
Without it, a few things to check:
Since I'm a new user, it won't let me upload an attachment. I'll paste the information here. Sensitive data isn't included.
# aug/19/2025 17:46:10 by RouterOS 6.48.6
# software id = **ELIDED**
#
# model = **ELIDED**
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=Elemento-medias wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=Elemento3** \
wpa2-pre-shared-key=Elemento3**
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=5s enc-algorithm=des \
nat-traversal=no
add dh-group=modp1536 dpd-interval=5s enc-algorithm=3des name=dp-boedo \
nat-traversal=no
add dh-group=modp1536 dpd-interval=5s enc-algorithm=3des name=dp-varela \
nat-traversal=no
add dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
SSL-VPN nat-traversal=no
/ip ipsec peer
add address= local-address= name=forti-passive \
passive=yes profile=SSL-VPN
# This entry is unreachable
add address= local-address= name=dpt-boedo \
profile=dp-boedo
add address= local-address= name=\
FlorencioVarela profile=dp-varela
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=modp1536
add enc-algorithms=3des name=dp-boedo pfs-group=modp1536
add enc-algorithms=3des name=dp-varela pfs-group=modp1536
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=sslvpn-proposal \
pfs-group=modp1536
/ip pool
add name=dhcp ranges=
add name=dhcp_pool1 ranges=
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/snmp community
add addresses= name=zabbix
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bpdu-guard=yes bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address= comment=defconf interface=bridge network=\
add address= interface=ether1 network=
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address= comment=CRONOS mac-address= \
server=defconf
add address= client-id= comment=DVR \
mac-address=BC:5E:33:26:DC:9B server=defconf
/ip dhcp-server network
add address= comment=defconf dns-server=\
gateway=
/ip dns
set allow-remote-requests=yes
/ip dns static
add address= comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"Permitir trafico desde SSL VPN Mikrotik LAN" dst-address= \
ipsec-policy=in,ipsec src-address=
add action=accept chain=forward dst-address= protocol=icmp \
src-address=
add action=accept chain=forward comment=\
"Permitir trafico desde Mikrotik LAN hacia SSL VPN" disabled=yes \
dst-address= src-address=
add action=accept chain=forward comment="Ping VLAN7 Florencio Varela" \
disabled=yes dst-address= protocol=icmp src-address=\
add action=accept chain=forward disabled=yes dst-address= \
protocol=icmp src-address=
add action=accept chain=forward comment="Ping VLAN5 Florencio Varela" \
disabled=yes dst-address= protocol=icmp src-address=\
add action=accept chain=forward disabled=yes dst-address= \
protocol=icmp src-address=
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="Permitir ping B\92C" disabled=yes \
dst-address= protocol=icmp src-address=
add action=accept chain=forward disabled=yes dst-address= \
protocol=icmp src-address=
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="HARDEN: SSLVPN->LAN via IPsec" \
dst-address= ipsec-policy=in,ipsec src-address-list=\
ssl_subnet
add action=accept chain=forward comment="HARDEN: ICMP SSLVPN->LAN" \
dst-address= protocol=icmp src-address-list=ssl_subnet
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"DROP_WAN_FWD "
add action=accept chain=forward comment="HARDEN: ICMP SSLVPN->LAN" \
dst-address= protocol=icmp src-address=
add action=drop chain=forward comment="def: drop invalid" connection-state=\
invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat comment="Bypass NAT to SSL VPN" disabled=yes \
dst-address= src-address=
/ip ipsec identity
add peer=dpt-boedo secret=
add peer=FlorencioVarela secret=214505h
add generate-policy=port-override peer=forti-passive secret=
/ip ipsec policy
add comment="Tunel principal a trav\E9s de FortiGate Pomar" \
dst-address= peer=dpt-boedo proposal=dp-boedo src-address=\
tunnel=yes
add comment="VLAN a trav\E9s de FortiGate Florencio Varela" \
dst-address= peer=FlorencioVarela proposal=dp-varela \
src-address= tunnel=yes
add comment="VLAN a trav\E9s de FortiGate Florencio Varela" \
dst-address= peer=FlorencioVarela proposal=dp-varela \
src-address= tunnel=yes
set 3 comment=Default disabled=yes
add dst-address= level=unique peer=dpt-boedo proposal=\
sslvpn-proposal src-address= tunnel=yes
/ip route
add distance=1 gateway=
/ip service
set www-ssl tls-version=only-1.2
set winbox address=
/snmp
set contact=zabbix enabled=yes location=boedo trap-interfaces=all \
trap-version=2
/system clock
set time-zone-name=
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I look forward to your comments
I'm happy to report that I've resolved the issue. It was on the FortiNet side.
Access Forti VPN --> SSL-VPN Portals --> Routing Address Override