Hello,

I have a problem with a IPsec Tunnel between a Fortigate 100E (with Public IP) and Mikrotik RB3011UiAS behind NAT. The Tunnel was up and running for months until yesternday the ISP on Mikrotik side reset the VDSL line because no data or voice was coming through. I forward again all traffic to Mikrotik, even I tried everything i can think of but with no success. The Tunnel is up (Phase1 & Phase2) but no traffik or ping gets from either side. The subnets i use behind Fortigate for this branch office are (192.168.0.0/24, 192.168.20.0/24, 192.168.99.0/24) and the Mikrotik LAN is 192.168.23.0/24 (mikrotik WAN 192.168.1.2). Also the logs from either side show no errors.

On fortigate there are firewall rules that accept traffic and on Mikrotik NAT firewall, no rules to block or accept anythink except srcnat masquerade for the wan.

The Tunnel Detail is as show below for each side:

Fortigate 100E side
Network
Remote Gateway: Dynamic DNS
Dynamic DNS: ******.sn.mynetname.net (provided my Mikrotik)
Interface: WAN1
Local Gateaway: No
Mode Config: No
NAT Traversal: Enable
Dead Peer Detection: Enable

Authentication
Method: Preshared Key
IKE Version: 2

Phase 1 Proposal
Encryption: DES
Authentication: SHA-1
Diffie-Hellman Group: 16
Key Lifetime (seconds): 1800

Phase 2 Selectors
Local Address: all (0.0.0.0)
Remote Address: 192.168.23.0

u]Phase 2 Proposal[/u]
Encryption: DES
Authentication: SHA-1
Diffie-Hellman Group: 16
Enable Replay Detection: Enable
Enable Perfect Forward Secrecy (PFS): Enable
Local Port: All
Remote Port: All
Protocol: All
Auto-negotiate: Enabled
Key Lifetime (seconds): 1800

Mikrotik
IPsec Peers
Peer Name: fortigate-dc
Address: 46.X.X.X
Profile: fortigate-ipsec
Exchange Mode: IKE2
Sen Initial : Enable

IPsec Identities
Peer: fortigate-dc
Auth Methood: Pre Shared Key
My ID: auto
Remote ID: auto
Match by: remote id

Proposals
Name: fg-prop
Auth. Algo.: sha1
Encr. Algo.: des
Lifetime: 00:30:00
PFS Group: modp4096

Profiles
Name: fortigate-ipsec
Hash. Algo.: sha1
PRF Algo.: auto
Encr. Algo.: des
DH Group: modp4096
Proposal Check: obey
Lifetime: 00:30:00
NAT Traversal: Not Enabled
DPD Interval: Disable
DPD Maximum: 100

Policies (3 of them)
Peer: fortigate-dc
Tunnel: Enable
SRC Adr.: 192.168.23.0/24
DST Adr.: 192.168.0.0/24
Protocol: 255 (all)
Action: encrypt
Level: unique
IPS Prot: esp
Proposal: fg-prop

Peer: fortigate-dc
Tunnel: Enable
SRC Adr.: 192.168.23.0/24
DST Adr.: 192.168.20.0/24
Protocol: 255 (all)
Action: encrypt
Level: unique
IPS Prot: esp
Proposal: fg-prop

Peer: fortigate-dc
Tunnel: Enable
SRC Adr.: 192.168.23.0/24
DST Adr.: 192.168.99.0/24
Protocol: 255 (all)
Action: encrypt
Level: unique
IPS Prot: esp
Proposal: fg-prop

I change it to IKE v1 and after rebooting mikrotik it worked. I will try to change it back to IKE v2 on later time and check again.

Today the same problem occured. The vpn tunnel is established (Phase1 & the 3 Phase2) but no traffic between them. On Fortigate side, i have at least 6 tunnels with different network equipments (Juniper, Draytek, pfSense) and all the rest works fine. Some of them (The Draytek is behind NAT like Mikrotik and with Dynamic DNS) and is up for months.

I am out of ideas. I sure the problem is on Mikrotik but i cant figure it out. I have tried everything. The only change that worked is that I set the IPSec Peer as Passive & uncheck to send the Initial_Contact. It work right away but i don't know for how long.