Hey All,

Reaching out for some help with a Mikrotik that is the main internet facing gateway that has another router behind it (which is a draytek) that is trying to accept and establish an IPSEC VPN tunnel to another remote draytek. I have a dstnat to dstnat rule in place to the Drayteks WAN IP (which obviously a local IP from the mikrotik network) which is working. The ports that were opened on teh draytek are still open and still reach through to the draytek as intended.

But what else is required in order for IPSEC to establish a tunnel between these two drayteks when my mikrotik is feeding one of them internet? I have tried manually forwarding the IPSEC ports to the drayteks WAN IP with no luck (though i can see traffic on the firewall rule 500)

What else should I be looking at?

Thanks guys!

What?

But what else is required in order for IPSEC to establish a tunnel between these two drayteks when my mikrotik is feeding one of them internet?

Forward ports udp500 and 4500
On drayteks, find a checkbox that enables NAT-traversal. This make sure udp4500 is used instead of ESP

What?

But what else is required in order for IPSEC to establish a tunnel between these two drayteks when my mikrotik is feeding one of them internet?

Two drayteks are establishing a VPN, yes? So one of them is behind my mikrotik and the other isn't, yes? So the one behind my mikrotik is configured to allow dial in IPSEC connections and they are not working. Well, turns out the mikrotik was configured correctly but there was an issue with the drayteks VPN setting when it was on Aggressive mode rather than main mode. It's working for in and out sessions now I just thought maybe the Mikrotik was ignoring the DMZ/Port forwarding for IPSEC traffic and trying to handle it on its own

Forward ports udp500 and 4500
On drayteks, find a checkbox that enables NAT-traversal. This make sure udp4500 is used instead of ESP

I had already done this and it wasn't working but it actually turns out it was the Draytek. The VPN type was set on aggressive mode rather than main mode and it didn't like it being behind a NAT on aggressive mode so the IT guy switched it to Main mode and its now working!