cernoel/config.txt

## config.txt
###################
Forti
###################
FG80C-HQ # config vpn ipsec phase1-interface

FG80C-HQ (phase1-interface) # show
config vpn ipsec phase1-interface
edit "BRO-IPSEC"
set type dynamic
set interface "wan1"
set ike-version 2
set mode-cfg enable
set ipv4-dns-server1 10.0.0.254
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set dhgrp 15 14 5
set ipv4-start-ip 192.168.77.1
set ipv4-end-ip 192.168.77.254
set ipv4-netmask 255.255.255.0
set ipv4-split-include "HQ_LAN" //10.0.0.0/16
set psksecret ENC SUPERSECRET
next
end


FG80C-HQ # config vpn ipsec phase2-interface

FG80C-HQ (phase2-interface) # show
config vpn ipsec phase2-interface
edit "BRO-IPSEC_0"
set phase1name "BRO-IPSEC"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
set dhgrp 15 14 5
set keylifeseconds 3600
next
end

FG80C-HQ # config firewall policy
edit 45
set uuid SOMEUUID
set srcintf "BRO-IPSEC"
set dstintf "internal1"
set srcaddr "BRO-IPSEC_range" // 192.168.77.1-192.168.77.254
set dstaddr "HQ_LAN"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next


#####################
Mikrotik
#####################
192.168.77.0 = BranchOffice Net (Mikrotik)
10.0.0.0/16 = HQ Net (Fortigate)
212.1.2.3/32 = PublicIP HQ Fortigate

[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder
0 address=212.1.2.3/32 auth-method=pre-shared-key secret="SUPERSECRET" generate-policy=no policy-template-group=default exchange-mode=ike2 send-initial-contact=yes hash-algorithm=sha256 enc-algorithm=aes-256,aes-192 dh-group=modp2048 lifetime=1d
dpd-interval=2m


[admin@MikroTik] /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 TX* group=default src-address=0.0.0.0/32 dst-address=0.0.0.0/32 protocol=all proposal=default template=yes
1 A src-address=192.168.77.0/24 src-port=any dst-address=10.0.0.0/16 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=212.1.2.3 proposal=my-ipsec ph2-count=1


admin@MikroTik] /ip ipsec proposal> print
Flags: X - disabled, * - default
0 X* name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1536
1 name="my-ipsec" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,camellia-256,aes-192-cbc,camellia-192 lifetime=1h pfs-group=modp2048


[admin@MikroTik] /ip ipsec mode-config> print
Flags: * - default
0 * name="request-only"


[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; vpn01
chain=srcnat action=accept src-address=192.168.77.0/24 dst-address=10.0.0.0/16 log=no log-prefix=""

1 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix=""
	###################
	Forti
	###################
	FG80C-HQ # config vpn ipsec phase1-interface

	FG80C-HQ (phase1-interface) # show
	config vpn ipsec phase1-interface
	edit "BRO-IPSEC"
	set type dynamic
	set interface "wan1"
	set ike-version 2
	set mode-cfg enable
	set ipv4-dns-server1 10.0.0.254
	set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
	set dhgrp 15 14 5
	set ipv4-start-ip 192.168.77.1
	set ipv4-end-ip 192.168.77.254
	set ipv4-netmask 255.255.255.0
	set ipv4-split-include "HQ_LAN" //10.0.0.0/16
	set psksecret ENC SUPERSECRET
	next
	end


	FG80C-HQ # config vpn ipsec phase2-interface

	FG80C-HQ (phase2-interface) # show
	config vpn ipsec phase2-interface
	edit "BRO-IPSEC_0"
	set phase1name "BRO-IPSEC"
	set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256
	set dhgrp 15 14 5
	set keylifeseconds 3600
	next
	end

	FG80C-HQ # config firewall policy
	edit 45
	set uuid SOMEUUID
	set srcintf "BRO-IPSEC"
	set dstintf "internal1"
	set srcaddr "BRO-IPSEC_range" // 192.168.77.1-192.168.77.254
	set dstaddr "HQ_LAN"
	set action accept
	set schedule "always"
	set service "ALL"
	set nat enable
	next


	#####################
	Mikrotik
	#####################
	192.168.77.0 = BranchOffice Net (Mikrotik)
	10.0.0.0/16 = HQ Net (Fortigate)
	212.1.2.3/32 = PublicIP HQ Fortigate

	[admin@MikroTik] /ip ipsec peer> print
	Flags: X - disabled, D - dynamic, R - responder
	0 address=212.1.2.3/32 auth-method=pre-shared-key secret="SUPERSECRET" generate-policy=no policy-template-group=default exchange-mode=ike2 send-initial-contact=yes hash-algorithm=sha256 enc-algorithm=aes-256,aes-192 dh-group=modp2048 lifetime=1d
	dpd-interval=2m


	[admin@MikroTik] /ip ipsec policy> print
	Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
	0 TX* group=default src-address=0.0.0.0/32 dst-address=0.0.0.0/32 protocol=all proposal=default template=yes
	1 A src-address=192.168.77.0/24 src-port=any dst-address=10.0.0.0/16 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=212.1.2.3 proposal=my-ipsec ph2-count=1


	admin@MikroTik] /ip ipsec proposal> print
	Flags: X - disabled, * - default
	0 X* name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1536
	1 name="my-ipsec" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,camellia-256,aes-192-cbc,camellia-192 lifetime=1h pfs-group=modp2048


	[admin@MikroTik] /ip ipsec mode-config> print
	Flags: * - default
	0 * name="request-only"


	[admin@MikroTik] /ip firewall nat> print
	Flags: X - disabled, I - invalid, D - dynamic
	0 ;;; vpn01
	chain=srcnat action=accept src-address=192.168.77.0/24 dst-address=10.0.0.0/16 log=no log-prefix=""

	1 ;;; default configuration
	chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix=""