How to Setup IPSEC VPN Between Fortigate & MikroTik – Part 3 (End)

This post is the last sequel from previous post here and here.

Last time we had configure IPSEC VPN for remote site used MikroTik router. Now, the time has come. We will configure Fortigate on the main site.

Just go thru VPN -> IPsec Wizard and select custom

Put the proper tunnel name along with remote site Public IP. Use outgoing WAN interface (do not use load balance WAN as it might lead asymmetric routing).

Use the same PSK as we have used before on MikroTik. In addition make sure same encryption being used along with DH group. These settings to define phase one proposal.

For phase 2 proposal you may need to determine source and destination address and expand the advance dialog box on left bottom and fill all values as seen on pic below.

It’s done. Now you can see the tunnel status still being seen inactive.

If we can see from the MikroTik log, it shows an error “phase1 negotiation failed due to time up” meanhwile there is an error as well from Fortigate side.

“No policy configured” means we might need to create a firewall rule for this VPN connection. Go to Policy & Objects – IPv4 Policy then create rule to allow incoming traffic from VPN to connect internal LAN. Here in example below shown VPN connection could access server farm subnet (

Post that you will found VPN connection has been established. Phase 1 and phase 2 established successfully.

From Fortigate log seen IKE protocol could inter-exchange with remote site and there is R-U-THERE & R-U-THERE-ACK which indicated three way handshake for IPSEC has running properly.

Back to IPSEC monitor, now you found everything seen up and running.

But somehow when you tried to ping end device on remote site it did not respond, otherwise it comes with unreachable packet occur.

Same goes from remote site where you unable to reach everything on the head office site.

Till here all you can only do is just to add the routing from Fortigate side. Go to Network then choose Routing. Add static routing as depicted below.

Do not forget to allow source connections with destination of VPN connection. It is a mandatory since it won’t you to proceed with packet traverse.

Eventually both remote site and head office are could reach each other and packets traverse in between.


**For some reason you might implement multiple IP on single interface and uses for VPN gateway. This may leads into an error “no SA proposal chosen” and there is additional thing for fixing out this issue by adding following command set local-gw (Secondary Public IP).

Leave a Reply

Your email address will not be published. Required fields are marked *