Community discussions

MikroTik App
 
mkrz
just joined
Topic Author
Posts: 6
Joined: Fri Jan 17, 2020 10:53 am

Mikrotik as an L2TP/IPSec client for Fortigate issues

Sat May 23, 2020 5:45 pm

Hello. Pretty new to this so I need your help.

I have Fortigate FG60E set up as a L2TP/IPSec with PSK server. Clients like computers and mobile phones connect to it without any issues by just using PSK, username and password with zero tweaking required.

I want to connect my Mikrotik hEX (which is almost all default settings save for static IP for the internet) with 6.46.6 OS as a client as well - so using WinBox I basically go into PPP -> + -> select L2TP client -> input Fortigate's IP address, input username and password, tick IPSec box and input the PSK and leave the rest as it is. However after this MikroTik doesn't connect to FortiGate and FG's VPN log says IPSec Phase2 error with "peer SA proposal not match local policy".

Am I missing something?
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as an L2TP/IPSec client for Fortigate issues

Sat May 23, 2020 7:12 pm

What does the /ip ipsec proposal print where name=default show on the Mikrotik?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mkrz
just joined
Topic Author
Posts: 6
Joined: Fri Jan 17, 2020 10:53 am

Re: Mikrotik as an L2TP/IPSec client for Fortigate issues

Sat May 23, 2020 9:18 pm

What does the /ip ipsec proposal print where name=default show on the Mikrotik?
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha256,sha1,md5
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des lifetime=30m
pfs-group=modp1024
 
sindy
Forum Guru
Forum Guru
Posts: 5099
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as an L2TP/IPSec client for Fortigate issues

Sat May 23, 2020 10:27 pm

Try changing pfs-group value to none, as the Microsoft Windows' embedded VPN client uses that. If it does not help, try to gather more information from Fortigate's log regarding supported transforms (encryption algorithm, hash algorithm, pfs algorithm).

If you have any other IPsec configuration in place on the Mikrotik, double-check that it doesn't use the default proposal before doing that change.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: eworm, Lemahasta and 58 guests