We have a payment company that has a somewhat unique set up in that they install a router behind ours that establishes a VPN connection with their server. It's an IPSEC VPN (I'm assuming using L2TP). So the set up is like this:

their server <--> internet <--> my router <--> their router

I used to have a super cheap tp-link router that when VPN passthrough was enabled on it, this set up worked perfectly without issue. Recently however, the router has been having issues so I've switched it to an RB751U-2HnD, however the VPN doesn't seem to work no matter what I forward to theirs.

I've tried forwarding the following: udp 500, udp 1701, udp 4500, ipsec-esp, ipsec-ah
as well as making firewall accept rules for them

Nothing I do seems to work though. I switched back to the tp-link router and it works perfectly again.

What am I missing that I need to forward on the microtik to get this to work?

Hi,

if src-nat is active between 'my router' and 'internet' then 'their router' must not dst-nat any vpn related protocol to 'their router'. Because of the NAT 'their router' will fall back to NAT-Traversal (ESP over 4500/udp). This also means 'their router' only can do outcalls.

"Their router" is definitely calling out. Their server is the VPN "host".

I've also tried setting up "my router" without using dst and src natting because I assumed it would switch to nat-t and just work, and I've tried setting it up with one of the two and both which is where my confusion is.

I can post configs if it will help.