Community discussions

MikroTik App
 
micis
just joined
Topic Author
Posts: 2
Joined: Wed Feb 26, 2020 7:01 am

IPsec state problem

Sun Apr 25, 2021 12:41 pm

I have CCR1009 with 6.48.1
I setup IPsec between mikrotik and fortigate router.
But the state of the policies changes cyclically: established, msg1 sent, getspi sent, no phase2
And ping shows about 30% loss.
I think this is due to the large number of policies (~10). If I enable only 5 policies, then the state is permanent and active for all.

what should be additionally configured?

My settings:
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=3des,des name=fortigate
/ip ipsec peer
add address=<fortigate_ip>/32 name=fortigate_ip profile=fortigate
/ip ipsec proposal
add enc-algorithms=3des,des name=fortigate_phase2 pfs-group=modp1536
/ip ipsec identity
add peer=fortigate_ip secret=<secret string>
/ip ipsec policy
add dst-address=172.31.0.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.1.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.2.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.3.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.4.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.6.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.7.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.8.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
...
 
dimm
just joined
Posts: 4
Joined: Mon Sep 20, 2021 7:42 pm

Re: IPsec state problem

Fri Mar 31, 2023 10:38 pm

the same problem on HAP ac^3

Who is online

Users browsing this forum: 0xAA55, Semrush [Bot] and 40 guests