Hello,
I have a problem with a IPsec Tunnel between a Fortigate 100E (with Public IP) and Mikrotik RB3011UiAS behind NAT. The Tunnel was up and running for months until yesternday the ISP on Mikrotik side reset the VDSL line because no data or voice was coming through. I forward again all traffic to Mikrotik, even I tried everything i can think of but with no success. The Tunnel is up (Phase1 & Phase2) but no traffik or ping gets from either side. The subnets i use behind Fortigate for this branch office are (192.168.0.0/24, 192.168.20.0/24, 192.168.99.0/24) and the Mikrotik LAN is 192.168.23.0/24 (mikrotik WAN 192.168.1.2). Also the logs from either side show no errors.
On fortigate there are firewall rules that accept traffic and on Mikrotik NAT firewall, no rules to block or accept anythink except srcnat masquerade for the wan.
The Tunnel Detail is as show below for each side:
Fortigate 100E side
Network
Remote Gateway: Dynamic DNS
Dynamic DNS: ******.sn.mynetname.net (provided my Mikrotik)
Interface: WAN1
Local Gateaway: No
Mode Config: No
NAT Traversal: Enable
Dead Peer Detection: Enable
Authentication
Method: Preshared Key
IKE Version: 2
Phase 1 Proposal
Encryption: DES
Authentication: SHA-1
Diffie-Hellman Group: 16
Key Lifetime (seconds): 1800
Phase 2 Selectors
Local Address: all (0.0.0.0)
Remote Address: 192.168.23.0
u]Phase 2 Proposal[/u]
Encryption: DES
Authentication: SHA-1
Diffie-Hellman Group: 16
Enable Replay Detection: Enable
Enable Perfect Forward Secrecy (PFS): Enable
Local Port: All
Remote Port: All
Protocol: All
Auto-negotiate: Enabled
Key Lifetime (seconds): 1800
Mikrotik
IPsec Peers
Peer Name: fortigate-dc
Address: 46.X.X.X
Profile: fortigate-ipsec
Exchange Mode: IKE2
Sen Initial : Enable
IPsec Identities
Peer: fortigate-dc
Auth Methood: Pre Shared Key
My ID: auto
Remote ID: auto
Match by: remote id
Proposals
Name: fg-prop
Auth. Algo.: sha1
Encr. Algo.: des
Lifetime: 00:30:00
PFS Group: modp4096
Profiles
Name: fortigate-ipsec
Hash. Algo.: sha1
PRF Algo.: auto
Encr. Algo.: des
DH Group: modp4096
Proposal Check: obey
Lifetime: 00:30:00
NAT Traversal: Not Enabled
DPD Interval: Disable
DPD Maximum: 100
Policies (3 of them)
Peer: fortigate-dc
Tunnel: Enable
SRC Adr.: 192.168.23.0/24
DST Adr.: 192.168.0.0/24
Protocol: 255 (all)
Action: encrypt
Level: unique
IPS Prot: esp
Proposal: fg-prop
Peer: fortigate-dc
Tunnel: Enable
SRC Adr.: 192.168.23.0/24
DST Adr.: 192.168.20.0/24
Protocol: 255 (all)
Action: encrypt
Level: unique
IPS Prot: esp
Proposal: fg-prop
Peer: fortigate-dc
Tunnel: Enable
SRC Adr.: 192.168.23.0/24
DST Adr.: 192.168.99.0/24
Protocol: 255 (all)
Action: encrypt
Level: unique
IPS Prot: esp
Proposal: fg-prop