Hello,

I am configuring a VPN setup with a Fortigate firewall as the hub (With dynamic DNS) and several Mikrotik mAP's as spokes. (DialUp)

Spokes are configured with subnet 172.28.10.0/24, 172.28.11.0/24 and so on.
LAN on the Fortigate is 192.168.50.0/24
mAP's 172.28.x.1

VPN tunnels are up and running, and I am able to ping 172.28.11.0/24 and 192.168.50.0/24 from 172.28.10.0/24 and vice versa.

BUT I am not able to reach the mAP from the local LAN.(Unless I use winbox and the MAC address of the mAP)
172.28.10.50 is not able to ping 172.28.10.1. 172.28.11.50 is not able to ping 172.28.11.1 and so on.

To make the solution flexible and easy to expand without having to change config on all mAP's when I add a new site I have this config. (Example from 172.28.10.1)

/ip ipsec policy add dst-address=172.28.0.0/16 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes
/ip ipsec policy add dst-address=192.168.50.0/24 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes

If i change this to:

/ip ipsec policy add dst-address=172.28.11.0/24 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes
/ip ipsec policy add dst-address=192.168.50.0/24 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes

it works between 172.28.10,0/24, 172.28.11.0/24 and 192.168.50.0/24. And I am able to reach the mAp from the LAN.
So I guess I must add some kind of routing or exception to make it work with dst-address=172.28.0.0/16.

And btw: Is it possible to skip the policy for 192.168.50.0 and solve it with routing instead?

All help is highly appreciated

/Stefan

Anyone ?

I think you're looking for:
And order of policies matters.

I think you're looking for:

Code: Select all

/ip ipsec policy
add action=none src-address=172.28.x.0/24 dst-address=172.28.x.0/24

And order of policies matters.

Thank you very much! Now it works within the 172.28.0.0./16 net as I wanted it to
Now I have two tunnels instead of one for each spoke.

But I will probably only need one tunnel if I am able to route all request to/from 192.168.50.0/24 over the 172.28.0.0/16 tunnel.
Would make my day if you could help me with this problem as well.
It is probably basic, but I am not very familiar with the routing options on the Mikrotik yet

Mikrotik only implements bare IPsec with policies and traffic selectors, so you must have a separate policy for each dst-address (192.168.50.0/24 and 172.28.0.0/16). Whether one or two pairs of SAs will actually be negotiated depends on the level parameter of the policy - if it is set to require, a single pair of SAs may be sufficient if the peer (Fortigate in your case) supports that. But bandwidth-wise, there is no difference whether you use a dedicated pair of SAs for each policy or whether the two policies share the same pair.

Mikrotik does not support IPsec VTI, so if you want to use "normal" routing instead of traffic selectors, the only possibility is to use GRE-over-IPSec, IPencap-over-IPsec, or L2TP-over-IPsec if Fortigate supports that.

Mikrotik only implements bare IPsec with policies and traffic selectors, so you must have a separate policy for each dst-address (192.168.50.0/24 and 172.28.0.0/16). Whether one or two pairs of SAs will actually be negotiated depends on the level parameter of the policy - if it is set to require, a single pair of SAs may be sufficient if the peer (Fortigate in your case) supports that. But bandwidth-wise, there is no difference whether you use a dedicated pair of SAs for each policy or whether the two policies share the same pair.

Mikrotik does not support IPsec VTI, so if you want to use "normal" routing instead of traffic selectors, the only possibility is to use GRE-over-IPSec, IPencap-over-IPsec, or L2TP-over-IPsec if Fortigate supports that.

Thank you for the good explanation I will just leave it as it is then.

I just thought I would quickly point something out...

In this line:
/ip ipsec policy add dst-address=172.28.0.0/16 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes

You list TWO subnets:
172.28.0.0/16
172.28.10.0/24

The first subnet is from IP 172.28.0.1 -> 172.28.15.255
The second subnet is contained within the first subnet; therefore, you can't tunnel between them.

Your solution of making the first subnet a /24 solves the problem.

I just thought I would quickly point something out...

In this line:
/ip ipsec policy add dst-address=172.28.0.0/16 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes

You list TWO subnets:
172.28.0.0/16
172.28.10.0/24

The first subnet is from IP 172.28.0.1 -> 172.28.15.255
The second subnet is contained within the first subnet; therefore, you can't tunnel between them.

Your solution of making the first subnet a /24 solves the problem.

Thank you