Hello,

I'm trying to connect two LANs together, one behind a rb450 and the other behind a fortigate-60. I'm using this document, http://wiki.mikrotik.com/wiki/MikroTik_ ... wall_IPSEC as the basis for configuring the connection.

Phase 1 connects, however phase 2 fails. If the fortigate initiates the connection the logs show

echo: ipsec,ike respond new phase 2 negotiation: X.X.X.151[500]<=>X.X.X.24[500]
echo: ipsec,ike ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
echo: ipsec,ike ISAKMP-SA established X.X.X.151[500]-X.X.X.24[500] spi:a5a1a8657000dd20:dde0d7be7c73892f
echo: ipsec,ike respond new phase 2 negotiation: X.X.X.151[500]<=>X.X.X.24[500]
echo: ipsec,ike no policy found: X.X.X.24/32[0] 192.168.55.0/24[0] proto=any dir=in
echo: ipsec,ike failed to get proposal for responder.
echo: ipsec,ike failed to pre-process packet.

If the RB initiates the connection, I see a comparable message in the fortigate logs. However I can't find any differences in the phase2 policies. Hopefully someone can point out the obvious to me, thanks!

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.55.0/24 dst-address=192.168.24.0/24
1 chain=srcnat action=masquerade out-interface=ether5

[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled
0 address=X.X.X.24/32:0 auth-method=pre-shared-key secret="XXXXXX" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=des dh-group=modp1024 lifetime=1d lifebytes=0

[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled
0 name="default" auth-algorithms=md5 enc-algorithms=des lifetime=30m pfs-group=modp1024

[admin@MikroTik] > ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.55.0/24:any dst-address=192.168.24.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=X.X.X.151 sa-dst-address=X.X.X.24 proposal=default manual-sa=none priority=0

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; default configuration
192.168.88.1/24 192.168.88.0 192.168.88.255 ether1
1 192.168.0.2/24 192.168.0.0 192.168.0.255 ether1
2 192.168.55.1/24 192.168.55.0 192.168.55.255 ether1
3 D X.X.X.151/22 X.X.X.0 X.X.X.255 ether5

And now the fortigate:

config vpn ipsec phase1
edit "rb450_tun"
set interface "wan1"
set nattraversal enable
set dhgrp 2
set proposal des-md5
set remote-gw X.X.X.151
set psksecret ENC XXXXXXX
next

config vpn ipsec phase2
edit "rb450_tun"
set dhgrp 2
set keepalive enable
set pfs enable
set phase1name "rb450_tun"
set proposal des-md5
set replay enable
set src-subnet 192.168.24.0 255.255.255.0
set dst-subnet 192.168.55.0 255.255.255.0
next
end

I had similar issue - turned out Fortigate requires that you first create an address object for the network behind RB250 and add a traffic policy that under Policies->IPv4 (on Fortigate). As soon as policy was added phase 2 connected ok.