Algorithms“ are needed, as we use aes-256-gcm as the encryption algorithm which already includes the authentication part: IPsec Proposal on Mikrotik RouterOSįor the peer configuration we only need to set the name, ip-address, ipsec profile and the „Exchange Mode“ to IKE2: IPsec Peer on Mikrotik RouterOS In the next step, we create a new „IPSec Proposal“ for the phase 2 encryption. Set dst-subnet 192.168.200.0 255.255.255.0Īll configuration is done in the „IP –> IPSec“ section using Winbox.įirst we need to create the „IPsec Profile“ in which we define the IKE proposal: IPsec Profile on Mikrotik RouterOS Using the FortiOS cli the configuration is done like this: config vpn ipsec phase1-interface In the phase 2 the other site is able to use GCM ciphers, therefore we use AES256GCM and Diffie-Hellman Group 21: IPsec Phase 2 Selectors on FortiGate Then we create the Phase 2 Selector with the networks we want to connect. Therefore, we use AES256 with SHA512 and the Diffie-Hellman Group 21 which is also known as 521-bit ECP: IPsec Phase 1 Proposal on FortiGate Then we set our pre-shared key and change the IKE Version to „2“: IPsec Authentication on FortiGateĪs the other site can’t use GCM Ciphers in IKE / phase 1 right now, we need to stick with AES-CBC mode ciphers. The following figure shows the lab environment I build for this tutorial:įirst, we need to create a new custom tunnel in the FortiGate configuration, where we set the basic parts as the peer ip-address and the interface we want to use for our vpn connection: IPSec Network configuration on FortiGate These are the devices I used for this tutorial:įortinet FortiGate 60F with FortiOS 7.2.3 You need to test the ressource usage and performance in your own environment. This can result in degraded performance and higher ressource usage depending on the used hardware.
I typically use the strongest possible cryptographic algorithms between the two sites / vendors in my tutorials.
The Key Exchange will be done using IKEv2 and both sites are using static ip-addresses on their wan interfaces. This is a step-by-step tutorial to set up a site-to-site VPN between a Fortinet FortiGate and a Mikrotik RouterOS.
0 kommentar(er)
