Hi,
Is there a way to make ESP encapsulation work over UDP and not using ip protocol 50 (ESP)?
My setup is public addressed HUB and Spokes with enabled nat traversal and I would like if MTik routers sending ESP packet over UDP and not in ESP packets because of transport network has FW between them and ESP can't pass through on it.
It is working only behind NAT or I can somehow set it in RouterOS?
Thanks!
oreggin
Re: IPSec ESP over UDP without NAT
Could be as simple as checking "NAT Traversal" on your IPSEC profile
Re: IPSec ESP over UDP without NAT
Code: Select all
/ip ipsec profile
set [ find default=yes ] dh-group=ecp521 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=default \
nat-traversal=yes proposal-check=obey
Re: IPSec ESP over UDP without NAT
Try to set local-address for peer to some local but not public address. That should trigger NAT detection. I'm not completely sure, I know that I tested it in the past, but can't remember how it went.
Re: IPSec ESP over UDP without NAT
If you can't force encapsulation, adding nat to the picture makes sense as a workaround.
Make sure to add dNAT rules, so connection can also be initiated from remote. And you probably already have masquerade
Make sure to add dNAT rules, so connection can also be initiated from remote. And you probably already have masquerade
Re: IPSec ESP over UDP without NAT
Thanks, this is a common problem in ISP networks if there is a nonESPcapable FW in the path then IPSec is dead. I suggested to customers using IPSec peers behind NAT and now it is works fine. Would be nice an RFC standard for IPSec then we could configure it to use UDP on public networks too.