If you are searching documentation on how to create a Site-to-Site IPSec VPN between a Fortigate and a Mikrotik router you found the right blog post. Below are the complete steps.
Fortigate 60D, firmware v5.2.0. Internal LAN IP: 192.168.1.0/24
Mikrotik RB2011UiAS. Internal LAN IP: 192.168.4.0/24
Configure the Mikrotik:
- Create a NAT accept rule between the internal LAN and remote LAN:
2. Open IP > IPSec.
Go to Proposals TAB and create a new proposal profile:
Go to Policies TAB. Create a New Policy, fill in Source LAN and Destination LAN:
On the Action TAB fill Source Address with the Mikrotik WAN Address and Destination Address with the Fortigate WAN IP. Check Tunnel Mode. Select the Proposl created previously:
Go to Peers TAB and create a new IPSec Peer.
Address: fill in the Fortigate WAN IP.
Secret: the Pre-Shared Key (password)
Make the rest of the settings as in the image below:
You don’t need to create other Statis routes or IPSec interfaces on the router.
Next step, configure the Fortigate:
Go to VPN and create a new Tunnel, with Custom – Static IP Address settings:
Edit the settings:
In the Network section, in IP Address fill in the WAN IP of the Mikrotik:
Next in Authentication section fill in the same Pre-Shared Key as in Mikrotik:
In Phase 1 Proposal:
In XAUTH keep Disabled:
In Phase 2 Selectors:
Go to Monitor section, you should see the connection as Up:
Now, we need to create the Firewall rules to accept:
Rule 14: traffic from Fortigate LAN to go to Mikrotik02 interface to the 192.168.4.0 LAN
Rule 15: traffic from 192.168.4.0 from the interface Mikrotik02 to Internal Fortigate LAN
Objects, Addresses details:
The connection will be activated when the first traffic is matched to be sent on the IPSec tunnel. You can check the Installed SAs TAB, where you should find at least 2 records:
And you can test the connection with a PING from Mikrotik, but select the Interface: bridge-local:
This is it. Hope it helped you in seeting up the IPSec VPN connection!