I setup IPsec between mikrotik and fortigate router.
But the state of the policies changes cyclically: established, msg1 sent, getspi sent, no phase2
And ping shows about 30% loss.
I think this is due to the large number of policies (~10). If I enable only 5 policies, then the state is permanent and active for all.
what should be additionally configured?
My settings:
Code: Select all
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=3des,des name=fortigate
/ip ipsec peer
add address=<fortigate_ip>/32 name=fortigate_ip profile=fortigate
/ip ipsec proposal
add enc-algorithms=3des,des name=fortigate_phase2 pfs-group=modp1536
/ip ipsec identity
add peer=fortigate_ip secret=<secret string>
/ip ipsec policy
add dst-address=172.31.0.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.1.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.2.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.3.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.4.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.6.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.7.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
add dst-address=172.31.8.0/24 peer=fortigate_ip proposal=fortigate_phase2 sa-dst-address=<fortigate_ip> sa-src-address=<local_ip> src-address=10.2.0.0/16 tunnel=yes
...