IPSec Site-to-Site VPN between Fortigate and Mikrotik

Hi,

If you are searching documentation on how to create a Site-to-Site IPSec VPN between a Fortigate and a Mikrotik router you found the right blog post. Below are the complete steps.

Equipment used:

Fortigate 60D, firmware v5.2.0. Internal LAN IP: 192.168.1.0/24
Mikrotik RB2011UiAS. Internal LAN IP: 192.168.4.0/24

Configure the Mikrotik:

  1. Create a NAT accept rule between the internal LAN and remote LAN:

Details:

2. Open IP > IPSec.

Go to Proposals TAB and create a new proposal profile:

Go to Policies TAB. Create a New Policy, fill in Source LAN and Destination LAN:

On the Action TAB fill Source Address with the Mikrotik WAN Address and Destination Address with the Fortigate WAN IP. Check Tunnel Mode. Select the Proposl created previously:

Go to Peers TAB and create a new IPSec Peer.

Address: fill in the Fortigate WAN IP.
Secret: the Pre-Shared Key (password)
Make the rest of the settings as in the image below:

You don't need to create other Statis routes or IPSec interfaces on the router.

Next step, configure the Fortigate:

Go to VPN and create a new Tunnel, with Custom – Static IP Address settings:

Edit the settings:

In the Network section, in IP Address fill in the WAN IP of the Mikrotik:

 

Next in Authentication section fill in the same Pre-Shared Key as in Mikrotik:

In Phase 1 Proposal:

 

In XAUTH keep Disabled:

In Phase 2 Selectors:

Go to Monitor section, you should see the connection as Up:

Now, we need to create the Firewall rules to accept:

Rule 14: traffic from Fortigate LAN to go to Mikrotik02 interface to the 192.168.4.0 LAN
Rule 15: traffic from 192.168.4.0 from the interface Mikrotik02 to Internal Fortigate LAN


Details:

Rule 14:

Rule 15:

Objects, Addresses details:

The connection will be activated when the first traffic is matched to be sent on the IPSec tunnel. You can check the Installed SAs TAB, where you should find at least 2 records:

And you can test the connection with a PING from Mikrotik, but select the Interface: bridge-local:

This is it. Hope it helped you in seeting up the IPSec VPN connection!

Exchange 2010 SP3 installation fails on SBS 2011

You install Exchange 2010 SP3 on Microsoft Windows Small Business Server 2011 (SBS 2011).

The update fails at the Hub Transport role with the error below:

Hub Transport Role
Failed

Error:
The following error was generated when "$error.Clear();
          Write-ExchangeSetupLog -Info "Creating SBS certificate";

          $thumbprint =

[Microsoft.Win32.Registry]::GetValue("HKEY_LOCAL_MACHINE\Software\Microsoft\SmallBusinessServer\Networking", "LeafCertThumbPrint", $null);

          if (!

[System.String]::IsNullOrEmpty($thumbprint))
          {
            Write-ExchangeSetupLog -Info "Enabling certificate with thumbprint: $thumbprint for SMTP service";
     

       Enable-ExchangeCertificate -Thumbprint $thumbprint -Services SMTP;
            
            Write-ExchangeSetupLog -Info "Removing default Exchange Certificate";
    

        Get-ExchangeCertificate | where {$_.FriendlyName.ToString() -eq "Microsoft Exchange"} | Remove-ExchangeCertificate;

            Write-ExchangeSetupLog -Info

"Checking if default Exchange Certificate is removed";
            $certs = Get-ExchangeCertificate | where {$_.FriendlyName.ToString() -eq "Microsoft Exchange"};
         

   if ($certs)
            {
              Write-ExchangeSetupLog -Error "Failed to remove existing exchange certificate"
            }
          }
          else
          {

 

          Write-ExchangeSetupLog -Warning "Cannot find the SBS certificate";
          }
        " was run: "The certificate with thumbprint

EF21B275EAA71E26D27349711D1272A2C9B246BA was not found.".

The certificate with thumbprint EF21B275EAA71E26D27349711D1272A2C9B246BA was not found.
Click here for help… http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.123.3&e=ms.exch.err.Ex88D115&l=0&cl=cp

Elapsed Time: 00:08:34

Cause:

The upgrade is looking in this Registry Key "HKEY_LOCAL_MACHINE\Software\Microsoft\SmallBusinessServer\Networking\LeafCertThumbPrint" is picking the "EF21B275EAA71E26D27349711D1272A2C9B246BA" Thumbprint and it's finding that is different than the Thumbprint of the certificate configured for SMTP in Exchange, and the upgrade fails.

The solution:

Go to Exchange Management Console > Server Configuration > and open the certificate configured for SMTP:

Look for the Thumbprint and note it:

Run the command in CMD: netsh http show ssl

Look for the Thumbprint of the certificate which is configured on Exchange 2010 SMTP connector, and copy the Thumbprint from here:

Go to REGISTRY "HKEY_LOCAL_MACHINE\Software\Microsoft\SmallBusinessServer\Networking\LeafCertThumbPrint" and replace the existing Thumbprint with the one of the certificate used for SMTP:

Run again the Exchange 2010 SP3 setup. This time the upgrade will be successful.

After the upgrade run Windows Update for the latest Exchange 2010 SP3 patches.

The System Center Virtual Machine Manager service terminated unexpectedly

You have a System Center Virtual Machine Manager 2008 R2 and you reboot the server or restart the Virtual Machine Manager VMMService service and receive the error :

The Virtual Machine Manager service terminated unexpectedly.  It has done this x time(s).

Service Control Manager

EventID 7034

Resolution:

In this case we've changed the Regional Format from Control Panel from English to other format. Change the format back to English and the service will start ok.