Community discussions

MikroTik App
 
Bladek
just joined
Topic Author
Posts: 1
Joined: Thu Aug 05, 2021 4:10 pm

Problem with mikrotik vs fortigate ipsec no ping

Thu Aug 05, 2021 4:20 pm

Hello i have problem with ipsec Mikrtoik > Fortigate. Tunnel is establised, but not pinging fortigate ...
Mikrotik with lte
# aug/05/2021 15:15:03 by RouterOS 6.45.9
# software id = VN4Y-X7BI
#
# model = RBwAPGR-5HacD2HnD
# serial number = E1850D704044
/ip ipsec profile
add dh-group=modp1024 dpd-interval=5s enc-algorithm=des name=fortigate
/ip ipsec peer
add address=178.183.140.183/32 exchange-mode=aggressive name=fortigate profile=fortigate
/ip ipsec proposal
add enc-algorithms=des name=fortigate pfs-group=none
/ip ipsec identity
add my-id=key-id:14 peer=fortigate secret=xXxXXX
/ip ipsec policy
add dst-address=192.168.15.0/24 peer=fortigate proposal=fortigate sa-dst-address=178.183.140.183 \
    sa-src-address=0.0.0.0 src-address=192.168.14.0/24 tunnel=yes
[admin@MikroTik] > 
[admin@MikroTik] > /ip address export
# aug/05/2021 15:18:21 by RouterOS 6.45.9
# software id = VN4Y-X7BI
#
# model = RBwAPGR-5HacD2HnD
# serial number = E1850D704044
/ip address
add address=192.168.14.254/24 comment=defconf interface=ether1 network=192.168.14.0
/ip firewall filter
add action=accept chain=forward dst-address=192.168.15.0/24 ipsec-policy=out,none src-address=\
    192.168.14.0/24
add action=accept chain=forward dst-address=192.168.14.0/24 ipsec-policy=in,none src-address=\
    192.168.15.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
    127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.15.0/24 src-address=192.168.14.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 723
Joined: Tue Dec 17, 2019 1:08 pm

Re: Problem with mikrotik vs fortigate ipsec no ping

Thu Aug 12, 2021 1:19 pm

Good Morning,

would it be possible for diagnostic purposes to switch the IPsec Mode Config to Connection-Mark instead of Src.AddressList ?
After that, you simply have to add a new mangle rule
For exemple : /add action=mark-connection chain=output new-connection-mark=Fortigate-VPN passthrough=no protocol=icmp

Who is online

Users browsing this forum: No registered users and 34 guests