I manage a Mikrotik that sits in front of a customer's firewall in which we dstNAT all traffic from the router to their firewall. The client side of the IPSec site to site is on the customer's firewall. Even though all traffic is being forwarded it won't seem to establish. I even tried accepting anything going to 50, 500, and 4500 for good measure but still no dice.

Is there something simple I'm missing? Also tried an 'acc-fwd IPsec policy in' rule but nothing. Just trying to rule out our setup.

(I know people will ask why not just take the Mikrotik out but we monitor via The Dude)

check with your client if in it's ipsec policy has nat traversal enabled, it should be mandatory in your case. if it is possible also try with ikev2 as it behaves better through nat

@ primeyeti

i manage a Mikrotik that sits in front of a customer's firewall in which we dstNAT all traffic from the router to their firewall. The client side of the IPSec site to site is on the customer's firewall.

did you do ip or port based dsnat?

i think you need to know what firewall they have and try to read its manuals too.

and you need to know how your client build their ipsec tunnels on both sides.

maybe you don't have any problem on your side - but your client did.

and did you have multiple wan links on your managed router?

just a thought.

Thanks both for the response!

It's IP based dstnat. I also haven't checked their IPSec config but (stupidly of me) I would assume they had NAT traversal enabled on the tunnel. I will double check this with them.

There is only a single WAN so shouldn't be an issue of it coming in one WAN and attempting to leave via another if that's what you were getting at anyway

@ primeyeti,

I would assume they had NAT traversal enabled on the tunnel. I will double check this with them

no no no.. nat traversal is on your router side to configure.

There is only a single WAN so shouldn't be an issue of it coming in one WAN and attempting to leave via another if that's what you were getting at anyway

this is @ anav part... don't argue with him

Oh really? Whereabouts would this be configured?

Just to make sure I've made the setup clear there's an external IPSec server that connects to the IPSec client which is behind my managed Mikrotik. So the Mikrotik shouldn't be interfering at all in an ideal scenario it should just pass it straight through.

IPSec site 1 > > > Managed Tik > > > IPSec 2

I didn't think any IPSec config was required on the Tik aside from allowing the relevant ports through the firewall which should be taken care of by the dstnat all rule.

Edit: Ok, I found where NAT traversal was enabled, however, I still wouldn't have thought this was necessary unless the Mikrotik was actually part of the tunnel rather than just an intermediary router? Correct me if I'm wrong.

Is there something simple I'm missing? Also tried an 'acc-fwd IPsec policy in' rule but nothing. Just trying to rule out our setup.

I believe my setup is similar. My RouterOS does NAT (for IPv4) while IPsec responder is being run on other host.

1. Make sure that you disabled all policies, identities etc under /ip/ipsec: you don't want RouterOS to intercept IPsec connection
2. /ip/firewall/nat rule: add action=dst-nat chain=dstnat dst-port=500,4500 protocol=udp to-addresses=...
3. /ip/firewall/filter rule: add action=accept chain=forward connection-nat-state=dstnat

nat traversal is an option set on phase 1 config, but by both ends of the tunnel. in your case you are just in the middle doing nat magic. As Kentzo said, you don't need anything else other than dstnat rule and allowing in forward chain.

good luck

Thanks guys, I kind of assumed what Kentzo was saying is the case so in this situation I think it's the customer's problem more than mine. Last thing I can think of is that the "Default" policy is enabled so I'll disable that and see what happens.

Thanks everyone for the input!