MikroTik

Posted: **Fri Jul 27, 2012 6:40 pm**

Hi All,

I'm having an issue trying to setup a IPSec VPN between a RB1100(v4.12) and a FortGate 331B (v4.0,build0342,120227). I have tried searching through the support forums, but have not found any helpful information as yet.

I have included logs and configs of both devices to this post. It basically dies with a "invalid length of payload/malformed or expired" error, and I'm at a total loss as to what is wrong.

jul/18 16:48:39 ipsec respond new phase 1 negotiation: *MIKROTIK-IP*[500]<=>*FORTGATE-IP*[500] 
jul/18 16:48:39 ipsec begin Identity Protection mode. 
jul/18 16:48:39 ipsec received Vendor ID: RFC 3947 
jul/18 16:48:39 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
jul/18 16:48:39 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
jul/18 16:48:39 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
jul/18 16:48:39 ipsec 
jul/18 16:48:39 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-01 
jul/18 16:48:39 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 
jul/18 16:48:39 ipsec received Vendor ID: DPD 
jul/18 16:48:39 ipsec Selected NAT-T version: RFC 3947 
jul/18 16:48:39 ipsec Hashing *MIKROTIK-IP*[500] with algo #1  
jul/18 16:48:39 ipsec NAT-D payload #0 verified 
jul/18 16:48:39 ipsec Hashing *FORTGATE-IP*[500] with algo #1  
jul/18 16:48:39 ipsec NAT-D payload #1 verified 
jul/18 16:48:39 ipsec NAT not detected  
jul/18 16:48:39 ipsec Hashing *REMOTE-IP*[500] with algo #1  
jul/18 16:48:39 ipsec Hashing *FORTGATE-IP*[500] with algo #1  
jul/18 16:48:39 ipsec Adding remote and local NAT-D payloads. 
jul/18 16:48:39 ipsec phase1 negotiation failed due to time up. f3910b0466248ffb:db0f570033e05fba 
jul/18 16:48:39 ipsec invalid length of payload

I'd great appreciate any help you can offer.
Thanks very much!

Posted: **Sat Jul 28, 2012 1:07 am**

Try removing nat-traversal from the peer setup.

Posted: **Sat Jul 28, 2012 1:54 pm**

double check your secrets. If it is complex secret, attempt a simple 'abc123' and see what happens. If it still occurs debug both and see what they are seeing.

Sent from my GT-I9100 using Tapatalk 2

Posted: **Fri Apr 17, 2015 9:25 am**

Hi rjickity,

Thanks for the feedback. My VPN connection problem has been fixed from my LAN side but I am still strugling from WAN side. After the reading your comment I can connect with Mikrotik from my LAN but WAN not allowing me to connect and even I don't see any error in log

can you please guide me

thanks

Posted: **Sun May 10, 2015 4:50 am**

Sorry I don't quite understand. Your ipsec policy will be what defines your traffic for encryption (SRC and DST addressing which from your initial policy is a single host on the MikroTik side and a small subnet on the fortigate side).

When you say you cannot access from the WAN I would think that's by design. Could you give an example of what you're trying to access and from where ?

MikroTik

IPSec Connection Issue [Mikrotik<->FortGate]

IPSec Connection Issue [Mikrotik<->FortGate]

Re: IPSec Connection Issue [Mikrotik<->FortGate]

Re: IPSec Connection Issue [Mikrotik<->FortGate]

Re: IPSec Connection Issue [Mikrotik<->FortGate]