Professional Documents
Culture Documents
IPSec Site-to-Site VPN Between Fortigate and Mikrotik - FASTBIT
IPSec Site-to-Site VPN Between Fortigate and Mikrotik - FASTBIT
FORTIGATE AND MIKROTIK
Posted on April 17, 2015 by fbadmin
Hi,
If you are searching documentation on how to create a SitetoSite IPSec VPN between a Fortigate and a Mikrotik
router you found the right blog post. Below are the complete steps.
Equipment used:
Fortigate 60D, firmware v5.2.0. Internal LAN IP: 192.168.1.0/24
Mikrotik RB2011UiAS. Internal LAN IP: 192.168.4.0/24
Configure the Mikrotik:
1. Create a NAT accept rule between the internal LAN and remote LAN:
Details:
2. Open IP > IPSec.
Go to Proposals TAB and create a new proposal profile:
Go to Policies TAB. Create a New Policy, fill in Source LAN and Destination LAN:
On the Action TAB fill Source Address with the Mikrotik WAN Address and Destination Address with the Fortigate
WAN IP. Check Tunnel Mode. Select the Proposl created previously:
Go to Peers TAB and create a new IPSec Peer.
Address: fill in the Fortigate WAN IP.
Secret: the PreShared Key (password)
Make the rest of the settings as in the image below:
You don't need to create other Statis routes or IPSec interfaces on the router.
Next step, configure the Fortigate:
Go to VPN and create a new Tunnel, with Custom – Static IP Address settings:
Edit the settings:
In the Network section, in IP Address fill in the WAN IP of the Mikrotik:
Next in Authentication section fill in the same PreShared Key as in Mikrotik:
In Phase 1 Proposal:
In XAUTH keep Disabled:
In Phase 2 Selectors:
Go to Monitor section, you should see the connection as Up:
Now, we need to create the Firewall rules to accept:
Rule 14: traffic from Fortigate LAN to go to Mikrotik02 interface to the 192.168.4.0 LAN
Rule 15: traffic from 192.168.4.0 from the interface Mikrotik02 to Internal Fortigate LAN
Details:
Rule 14:
Rule 15:
Objects, Addresses details:
The connection will be activated when the first traffic is matched to be sent on the IPSec tunnel. You can check
the Installed SAs TAB, where you should find at least 2 records:
And you can test the connection with a PING from Mikrotik, but select the Interface: bridgelocal:
This is it. Hope it helped you in seeting up the IPSec VPN connection!