i have set up some vpn connections and I have several IPSEC-VPNs between my Fortigate-Devices.
Now I want to connect a Microtik to my VPN-Net.
Phase 1 works without any error (at least, no error i see on the debug-log) on both sites.
But I never see an installed SA, and I never see traffik.
Can someone point me to the right direction?
I have read several Topics here regarding Fortigate and Mikrotik-VPN.
I tried them all.
I created the Fortigate-Rulee from IPsec-device to the internal Device and back.
Here are some Lines of the ipsec-debug-log where i get "succeed".
The rest of the debug.log is attached.
Code: Select all
09:59:04 ipsec,debug,packet compute IV for phase2
09:59:04 ipsec,debug,packet phase1 last IV:
09:59:04 ipsec,debug,packet fb0f19b1 777a9d67 ab1f8513 77d139d8 bbe52340
09:59:04 ipsec,debug,packet hash(sha1)
09:59:04 ipsec,debug,packet encryption(aes)
09:59:04 ipsec,debug,packet phase2 IV computed:
09:59:04 ipsec,debug,packet ac9b4cb6 5499d09c 754c0481 2dffe18e
09:59:04 ipsec,debug,packet encryption(aes)
09:59:04 ipsec,debug,packet IV was saved for next processing:
09:59:04 ipsec,debug,packet 4eae650c ac9019d9 c6f34aaa e5d6a8a2
09:59:04 ipsec,debug,packet encryption(aes)
09:59:04 ipsec,debug,packet with key:
09:59:04 ipsec,debug,packet fb7a515d 70983747 89b2e7d0 65ae9671
09:59:04 ipsec,debug,packet decrypted payload by IV:
09:59:04 ipsec,debug,packet ac9b4cb6 5499d09c 754c0481 2dffe18e
09:59:04 ipsec,debug,packet decrypted payload, but not trimed.
09:59:04 ipsec,debug,packet 0b000018 26e86c5e f1e060a6 174f8d98 cae3ea64 feeb0d73 00000020 00000001
09:59:04 ipsec,debug,packet 01108d29 0357efe4 f00ca254 589e8356 982c1ce5 000002c4 03c16f2c f5c75d07
09:59:04 ipsec,debug,packet padding len=8
09:59:04 ipsec,debug,packet skip to trim padding.
09:59:04 ipsec,debug,packet decrypted.
09:59:04 ipsec,debug,packet 0357efe4 f00ca254 589e8356 982c1ce5 08100501 bbe52340 0000005c 0b000018
09:59:04 ipsec,debug,packet 26e86c5e f1e060a6 174f8d98 cae3ea64 feeb0d73 00000020 00000001 01108d29
09:59:04 ipsec,debug,packet 0357efe4 f00ca254 589e8356 982c1ce5 000002c4 03c16f2c f5c75d07
09:59:04 ipsec,debug,packet HASH with:
09:59:04 ipsec,debug,packet bbe52340 00000020 00000001 01108d29 0357efe4 f00ca254 589e8356 982c1ce5
09:59:04 ipsec,debug,packet 000002c4
09:59:04 ipsec,debug,packet hmac(hmac_sha1)
09:59:04 ipsec,debug,packet HASH computed:
09:59:04 ipsec,debug,packet 26e86c5e f1e060a6 174f8d98 cae3ea64 feeb0d73
09:59:04 ipsec,debug,packet hash validated.
09:59:04 ipsec,debug,packet begin.
09:59:04 ipsec,debug,packet seen nptype=8(hash)
09:59:04 ipsec,debug,packet seen nptype=11(notify)
09:59:04 ipsec,debug,packet succeed.
my ipsec-config is rather basic:
Code: Select all
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-ctr lifetime=8h name=ipsec-prop pfs-group=modp1536
/ip ipsec peer
# Unsafe configuration, suggestion to use certificates
add address=10.0.1.2/32 comment=Phase1 dh-group=modp1536 enc-algorithm=aes-128 exchange-mode=aggressive lifetime=8h local-address=10.0.0.1 my-id=\
fqdn:hegg_maint secret=XXXsecret
/ip ipsec policy
add comment=Phase2 disabled=yes dst-address=192.168.1.0/16 proposal=ipsec-prop sa-dst-address=10.0.1.2 sa-src-address=10.0.0.1 src-address=\
192.168.0.0/24 tunnel=yes
add comment="Phase2 test IP" dst-address=192.168.1.0/16 ipsec-protocols=ah-esp proposal=ipsec-prop sa-dst-address=10.0.1.2 sa-src-address=10.0.0.1 \
src-address=192.168.0.0/24 tunnel=yes