A site-to-site VPN using IKEv2 between a Fortinet FortiGate and a Mikrotik.
Step-by-step guide
ROS
/ip ipsec profile
add dh-group=ecp521 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=1d name=fortigate \
nat-traversal=no proposal-check=obey
/ip ipsec peer
add address=10.0.0.1/32 disabled=no exchange-mode=ike2 name=fortigate profile=fortigate send-initial-contact=yes
/ip ipsec proposal
add auth-algorithms="" disabled=no enc-algorithms=aes-256-gcm lifetime=1h name=fortigate pfs-group=ecp521
/ip ipsec identity
add auth-method=pre-shared-key disabled=no generate-policy=no peer=fortigate secret=<PRESHAREDKEY>
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.111.0/24 dst-port=any ipsec-protocols=esp level=require peer=fortigate proposal=fortigate \
protocol=all sa-dst-address=10.0.0.1 sa-src-address=10.0.0.2 src-address=192.168.222.0/24 src-port=any tunnel=yes
Fortinet
config vpn ipsec phase1-interface
edit "vpn-to-mikrotik"
set interface "wan2"
set ike-version 2
set peertype any
set net-device disable
set proposal aes256-sha512
set dhgrp 21
set remote-gw 10.0.0.2
set psksecret <PRESHAREDKEY>
next
end
config vpn ipsec phase2-interface
edit "vpn-to-mikrotik"
set phase1name "vpn-to-mikrotik"
set proposal aes256gcm
set dhgrp 21
set auto-negotiate enable
set keylifeseconds 3600
set src-subnet 192.168.111.0 255.255.255.0
set dst-subnet 192.168.222.0 255.255.255.0
next
end
Note
It may be needed to add a firewall rule to ROS device:
If the Encryption Domain Address is: 1.2.3.4.
And the server's IP is: 4.3.2.1
Add a rule to firewall ( chain=srcnat with action action=src-nat):
/ip firewall nat add
chain=srcnat
src-address=4.3.2.1
out-interface=ether1
action=src-nat
to-addresses=1.2.3.4
protocol=all