Last active
March 7, 2022 02:58
-
-
Save cernoel/757a207319e3cb6be1a7c8291924d762 to your computer and use it in GitHub Desktop.
Mikrotik <> Fortigate IPSEC with NAT (dynamic IP on Client Side) .. fast draft.. use at your own risk
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################### | |
Forti | |
################### | |
FG80C-HQ # config vpn ipsec phase1-interface | |
FG80C-HQ (phase1-interface) # show | |
config vpn ipsec phase1-interface | |
edit "BRO-IPSEC" | |
set type dynamic | |
set interface "wan1" | |
set ike-version 2 | |
set mode-cfg enable | |
set ipv4-dns-server1 10.0.0.254 | |
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 | |
set dhgrp 15 14 5 | |
set ipv4-start-ip 192.168.77.1 | |
set ipv4-end-ip 192.168.77.254 | |
set ipv4-netmask 255.255.255.0 | |
set ipv4-split-include "HQ_LAN" //10.0.0.0/16 | |
set psksecret ENC SUPERSECRET | |
next | |
end | |
FG80C-HQ # config vpn ipsec phase2-interface | |
FG80C-HQ (phase2-interface) # show | |
config vpn ipsec phase2-interface | |
edit "BRO-IPSEC_0" | |
set phase1name "BRO-IPSEC" | |
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 | |
set dhgrp 15 14 5 | |
set keylifeseconds 3600 | |
next | |
end | |
FG80C-HQ # config firewall policy | |
edit 45 | |
set uuid SOMEUUID | |
set srcintf "BRO-IPSEC" | |
set dstintf "internal1" | |
set srcaddr "BRO-IPSEC_range" // 192.168.77.1-192.168.77.254 | |
set dstaddr "HQ_LAN" | |
set action accept | |
set schedule "always" | |
set service "ALL" | |
set nat enable | |
next | |
##################### | |
Mikrotik | |
##################### | |
192.168.77.0 = BranchOffice Net (Mikrotik) | |
10.0.0.0/16 = HQ Net (Fortigate) | |
212.1.2.3/32 = PublicIP HQ Fortigate | |
[admin@MikroTik] /ip ipsec peer> print | |
Flags: X - disabled, D - dynamic, R - responder | |
0 address=212.1.2.3/32 auth-method=pre-shared-key secret="SUPERSECRET" generate-policy=no policy-template-group=default exchange-mode=ike2 send-initial-contact=yes hash-algorithm=sha256 enc-algorithm=aes-256,aes-192 dh-group=modp2048 lifetime=1d | |
dpd-interval=2m | |
[admin@MikroTik] /ip ipsec policy> print | |
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default | |
0 TX* group=default src-address=0.0.0.0/32 dst-address=0.0.0.0/32 protocol=all proposal=default template=yes | |
1 A src-address=192.168.77.0/24 src-port=any dst-address=10.0.0.0/16 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=212.1.2.3 proposal=my-ipsec ph2-count=1 | |
admin@MikroTik] /ip ipsec proposal> print | |
Flags: X - disabled, * - default | |
0 X* name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1536 | |
1 name="my-ipsec" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,camellia-256,aes-192-cbc,camellia-192 lifetime=1h pfs-group=modp2048 | |
[admin@MikroTik] /ip ipsec mode-config> print | |
Flags: * - default | |
0 * name="request-only" | |
[admin@MikroTik] /ip firewall nat> print | |
Flags: X - disabled, I - invalid, D - dynamic | |
0 ;;; vpn01 | |
chain=srcnat action=accept src-address=192.168.77.0/24 dst-address=10.0.0.0/16 log=no log-prefix="" | |
1 ;;; default configuration | |
chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment