Community discussions

MikroTik App
 
void
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Nov 07, 2008 5:28 pm

IPSEC behind nat

Sat Nov 14, 2009 12:27 pm

Hello all,

I'm trying to setup an IPSEC connection on a routerboard that's behind a NAT gateway. I know this is not the ideal setup but I have no choice. The internet provider is only providing me with a 1/1 nat mapping of an external ip to an internal one.

The routerboard should initiate the IPSEC connection to a Cisco PIX that's not under my control but is being managed by a 3th party. I verified with them that NAT-T is activated and not firewalled on their side.

On the routerboard I activated NAT traversal on the IPSEC peer but it's not clear what I should fill in as SA src address on the IPSEC Policy. Should this be the internal address that's assigned to the routerboard or should I put here the external address that's being mapped 1/1 by the provider (but is not assigned to any local interface) ?

When I put the internal address as SA src address I can see the routerboard trying to setup the IPSEC connection but Phase 1 fails saying that NAT-D payload #0 doesn't match.

When I try the same setup but using an internetconnection where I have a public IP assigned to the routerboard not using NAT everything works fine.

Any help is appreciated.

VOiD
 
void
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Fri Nov 07, 2008 5:28 pm

Re: IPSEC behind nat

Mon Nov 16, 2009 4:30 pm

Nobody using a similar setup who can help me out ?
 
seekay
just joined
Posts: 16
Joined: Thu Dec 02, 2010 12:02 pm

Re: IPSEC behind nat

Tue Mar 20, 2012 5:32 pm

I'm trying to do something similar, did you get a solution?

Also, I have added ipsec,debug,packet to /system logging, but am not getting any useful information (actually not getting any at all!) what am I missing there?

Cheers!
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: IPSEC behind nat

Wed Mar 21, 2012 11:49 am

I'm using that setup, but the VPNHub is Mikrotik too, not Cisco, so I can't help you with that side.

You should map both UDP500 and IPSec-ESP (IP protocol 50) from the external IP to the internal one. If using 1to1 nat, make sure that ESP is forwarded too, not just TCP/UDP.
In the Policy, use the Mikrotik internal IP address as the SA Src. Address and the external remote IP as SA Dst. Address. IPSec protocol must be ESP and "tunnel" must be checked. For the Peer configuration, I don't have "NAT Traversal" checked. I read somewhere that "NAT Traversal" was used just to "force" the NAT router to autocreate IPSec nat rules on the natting router (DSL, Cable, etc) without opening ports on them... maybe I'm wrong, but I just don't need that thing to make it work :)

Also, make shure that you are using exactly the same security protocols for the IPSec negotiation on both ends of the tunnel.
 
seekay
just joined
Posts: 16
Joined: Thu Dec 02, 2010 12:02 pm

Re: IPSEC behind nat

Wed Mar 21, 2012 3:01 pm

Many thanks, got this working, MKT > Cisco behind 1to1 NAT, nice :D
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: IPSEC behind nat

Wed Mar 21, 2012 3:30 pm

Glad to help! Thanks for Karma upgrade! :) :)

Who is online

Users browsing this forum: haianh, nanobahr and 22 guests