computer(natted IP) <----> Mikrotik <---Internet----> Sonicwall <-----> computer(natted IP)


Hi guys,

I am trying to setup ipsec between my home and office. my home network is natted behind the Mikrotik (mikrotik is doing the nat). My office is natted behind a sonicwall (sonicwall is doing the nat). I don't think this scenario requires NAT-T as there is not NAT between the Mikrotik and the Sonicwall.

however, when attempting phase 2 negotiations the Sonicwall logs an error saying "Peer IPSec Security Gateway doesn’t support VPN NAT Traversal." I understand that routeros 2.9 does not support nat-t, but the sonicwall only gives the error above if it detects a NAT between peers. There is no NAT between peers, both are connected straight to ISP with real internet addresses.

any suggestions on what configuration I should look for on my Mikrotik to resolve this? I'm running RouterOS 2.9 on a PC.





here is some troubleshooting help (my configs):
remote peer: 4.4.4.4 (not really the ip address, but it is a public ip)
remote subnet (natted): 192.168.1.0/24

my public ip (local peer): 5.5.5.5 (interface 3 on mikrotik)
my local subnet (natted): 10.1.1.0/24 (interface 2 on mikrotik is 10.1.1.1)


[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat src-address=10.1.1.0/24 dst-address=192.168.1.0/24 action=accept

1 chain=srcnat out-interface=ether3 action=masquerade





[admin@MikroTik] ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - invalid
0 src-address=10.1.1.0/24:any dst-address=192.168.1.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=5.5.5.5 sa-dst-address=4.4.4.4
proposal=default manual-sa=none dont-fragment=clear



[admin@MikroTik] ip ipsec peer> print
Flags: X - disabled
0 address=4.4.4.4/32:500 secret="removedforpost" generate-policy=yes exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024
lifetime=1d lifebytes=0



[admin@MikroTik] ip ipsec proposal> print
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=1d lifebytes=0 pfs-group=modp1024



please help, thanks.

I guess you have it solved but for further reference - maybe somebody will need it

I had the same problem but then solved it just like that...
This is example for one peer only (now I have 6 peers all the same way).

Mikrotik has 172.16.5.0/24 as LAN with source-nat to the world over a public IP of 194.x.x.x.
I use SHA1 and 3DES with lifetime of 8h as you see...
This way I get all the policies generated automatically and if I group networks on Sonicwall to let's say 'Firewalled Networks' which contain all private and DMZ areas behind the Sonicwall and bring this VPN up I get:
Note that I have access to DMZ also via VPN - there is a very limited access from WAN to DMZ (like no SSH) but I want to have ssh here so I export DMZ from Sonicwall to work over VPN (rule 1).

Now the key part - NAT-T (nat-traversal) which is not supported by RouterOS 2.9 as I've found on the forum. The solution is very simple... see yourself:
This gave me full access to LAN's behind any Sonicwall's I have without NAT. All other connections go via NAT as I wanted...

Now I'll try to do some bridging with filtering and NAT at the same time... keeping several bridges here as well for another 4 private IP networks... All has to have separate filtering on the bridge, on the traffic allowed over VPN tunnels and over NAT. Simply not all the traffic is allowed even inside our own networks and has to be filtered on multiple layers. Real headache to implement even with MT which is very straightforward.

Hope this helps, good luck!
Tom

I have not solved it, but thank you very much for the reply tmiklas!

I am going to check all my settings again and I will post back my findings...

I still have no luck....

the only differences I see with my configuration and yours are:

1.) I am using AES-128
2.) The policies that are dynamically created are getting a /32 bit mask for src and dst subnets....which seems wrong to me. Check it out:

[admin@MikroTik] /ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive
0 D src-address=10.0.0.0/32:any dst-address=10.3.3.0/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=76.x.x.x sa-dst-address=66.x.x.x proposal=default priority=0

1 D src-address=10.0.0.0/32:any dst-address=10.3.3.0/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=76.x.x.x sa-dst-address=66.x.x.x proposal=default priority=0


I am using v3.0 beta6. There is beta7 out, but I don't see anything about ipsec in the changelog...

hmmmm i also just noticed the policy with 10.3.3.0 as src-address and dst-address 10.0.0.0 is not be dynamically created.... I wonder why?

guys.. can we have something with one side using a dynamic IP ( the client side ) which will dial into the Sonicwall VPN.

i am just not able to get it........