VPN Mikrotik to Fortigate

gprilopes · February 14, 2025, 7:43pm

Hello,

Goatria of trying to solve a problem:

I’m trying to create a VPN between a Fortigate and a Mikrotik

My topology is

FG:

Port WAN: xxx.xx.165.210

Port LAN: 10.2.16.0/23

–

MK:

Port WAN (pppoe): xxx.xx.253.250

Port LAN: 10.3.5.0/24

In fortigate I have already configured the Static Router and Firewall Policy

This is the VPN configuration

Network:
Remote Gateway : Static IP Address (177.94.253.250) , Interface : wan1 , NAT: no

Authentication:
Authentication Method : Pre-shared Key
IKE Version : 1 , Mode : Main (ID protection)

Phase 1 Proposal:
Algorithms: AES128-SHA256
Diffie-Hellman Group : 2

XAUTH:
Type : Disabled

Phase 2 Selectors:
Name Local Address Remote Address
vpn-mikrotik 10.2.16.0/255.255.254.0 10.3.5.0/255.255.255.0
Encryption: AES128-SHA256
Enable Perfect Forward Secrecy (PFS): no

On Mikrotik I already configured the PPPoE client and did NAT for port 3 with masquerade

This is the VPN configuration

/ip ipsec profile> print
Flags: * - default 
 0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m 
     dpd-maximum-failures=5 

 1   name="vpn-fortigate-profile1" hash-algorithm=sha256 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d proposal-check=obey nat-traversal=no dpd-interval=5s 
     dpd-maximum-failures=5

/ip ipsec proposal> print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024 

 1    name="vpn-fortigate-proposal1" auth-algorithms=sha256 enc-algorithms=aes-128-cbc lifetime=1h pfs-group=none

/ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder 
 0     name="vpn-fortigate-peer1" address=xxx.xx.165.210/32 profile=vpn-fortigate-profile1 exchange-mode=main send-initial-contact=yes

/ip ipsec identity> print
Flags: D - dynamic, X - disabled 
 0    peer=vpn-fortigate-peer1 auth-method=pre-shared-key secret="123456789" generate-policy=no

/ip ipsec policy> print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #      PEER          TUNNEL SRC-ADDRESS                                          DST-ADDRESS                                          PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T  *                      ::/0                                                 ::/0                                                 all       
 1      vpn-fortig... yes    10.3.5.0/24                                          10.2.16.0/23                                         all        encrypt require          0

Imagens

FG

MK

Thanks if anyone can help

panisk0 · February 14, 2025, 9:08pm

/system logging add topics=ipsec

add on to firewall

 
/ip fi fi add action=accept chain=input dst-address=177.94.253.250 protocol=ipsec-esp src-address=201.55.165.210
/ip fi fi add action=accept chain=input dst-address=177.94.253.250 dst-port=500 protocol=udp src-address=201.55.165.210

johnson73 · February 15, 2025, 11:45am

Hello,
I once had a similar problem. The solution is to use Diffie-Hellman Group 14 (2048-bit) on both sides (https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/bovpn/manual/diffie_hellman_c.html . And a little adjustment on the Mikrotik side.
Do not forget the firewall ipsec policy in forward chain.

/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip firewall address-list
add address=192.168.88.0/24 list=Admin

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="users to services"  in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services"  in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
    protocol=ipsec-esp
add action=accept chain=input src-address-list=Admin comment="Config Access"
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

gprilopes · February 20, 2025, 5:59pm

Forgive me, but I believe I lacked more information about my Mikrotik, it is reset without any default configuration, here I post more about how it is configured.
I have a wan that is using pppoe, no firewall configuration other than NAT for clients to access the internet and no routes configured other than those created by default

interface pppoe-client print 
Flags: X - disabled, I - invalid, R - running 
 0  R name="pppoe-vivo" max-mtu=auto max-mru=auto mrru=disabled interface=ether1-wan user="cliente@cliente" password="cliente" profile=default keepalive-timeout=10 
      service-name="" ac-name="" add-default-route=yes default-route-distance=1 dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2

interface print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ether1-wan                          ether            1500  1596       2026 F4:1E:57:1E:1A:44
 1     ether2                              ether            1500  1596       2026 F4:1E:57:1E:1A:45
 2  R  ether3-lan                          ether            1500  1596       2026 F4:1E:57:1E:1A:46
 3     ether4                              ether            1500  1596       2026 F4:1E:57:1E:1A:47
 4     ether5                              ether            1500  1596       2026 F4:1E:57:1E:1A:48
 5  R  pppoe-vivo                          pppoe-out        1480

/ip firewall> filter print 
Flags: X - disabled, I - invalid, D - dynamic

/ip firewall> nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=pppoe-vivo log=no log-prefix=""

ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-vivo                1
 1 ADC  10.3.5.0/24        10.3.5.1        ether3-lan                0
 2 ADC  187.100.231.4/32   177.94.253.250  pppoe-vivo                0

Logs

How are things at the fortigate

Interface

Tatic Routes

Policy

VPN

With this I hope to get help, as I still haven’t been able to close the VPN between the Fortigate link and the Mikrotik even with the suggested adjustments.

johnson73 · February 20, 2025, 9:03pm

You will not be able to establish a stable VPN connection until you have a firewall configured on your Mikrotik side. You have no security, you have no correct traffic flow ( https://help.mikrotik.com/docs/spaces/ROS/pages/328227/Packet+Flow+in+RouterOS ), you have no correctly configured open ports…Firewall rules policy is executed from top to bottom and the order is also very important. You simply do not have these rules! How will Mikrotik know where and what traffic flow to direct? It has none of that!
https://help.mikrotik.com/docs/spaces/ROS/pages/48660574/Filter
###############
INPUT CHAIN –> To the Router or to Router Services. Directional flow is WAN to Router, and LAN to Router.
FORWARD CHAIN –> Through the Router. Directional flow is LAN to LAN, LAN to WAN, WAN to LAN.
OUTPUT CHAIN –> From the Router. Directional flow is Router to WAN.

Use an address list, it will be easier to specify access and traffic flow from->to…You can safely use the FW configuration I copied here. Of course, change to your Lan IP addresses(10.3.5.0/24).