I want to setup an IPSEC config with peers communicating on ports other than 500.
Here our ISP filters UPD and TCP packets with destination address of 500.
The only open ports are 53 for DNS and 80 for HTTP.
The only problem here is that according to http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
I must let the control traffic a way out of the IPSEC tunnel.IKE Traffic
To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet established SA (that this packet perhaps is trying to establish), locally originated packets with UDP source port 500 are not processed with SPD. The same way packets with UDP destination port 500 that are to be delivered locally are not processed in incoming policy check.
I tried different combination of policies but not successful at all and packets get rejected.
Any idea how to write the policies to solve the problem?