Greetings,

I want to setup an IPSEC config with peers communicating on ports other than 500.
Here our ISP filters UPD and TCP packets with destination address of 500.
The only open ports are 53 for DNS and 80 for HTTP.
The only problem here is that according to http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

IKE Traffic
To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet established SA (that this packet perhaps is trying to establish), locally originated packets with UDP source port 500 are not processed with SPD. The same way packets with UDP destination port 500 that are to be delivered locally are not processed in incoming policy check.

I must let the control traffic a way out of the IPSEC tunnel.
I tried different combination of policies but not successful at all and packets get rejected.
Any idea how to write the policies to solve the problem?

No idea?

You can try doing a dst-nat and src-nat on packets to change the port it's going to, and then change it again once it reaches the router. I'm not sure if that will break anything however, and you will need to do the same thing on both ends.
Also on a side note, IKE traffic is just the negotiation and control channel for the tunnel, the tunnel will use another connection for the actual data transfer. This is usually port 4500 as it is the standard, but can be 10001 or any other port the particular flavor the vendor decided to use.

The main idea here is to bypass IPSEC limitations in 'Enemies of the Internet' countries. For example all IPSEC traffic in country I* has a limited download speed of ~256Kbps.
I successfully tried OVPN(UDP/TCP) on DNS port and the result was amazing. If we can find a way to change IKE port to any port other than 500, we may have a little hope to achieve huge success.
I really am curious what is the use of 'port' in the following!

Has anobody found a solution?
I am trying the following:
- set "port" to 501 under IPSec -> Peers;
- use "redirect" from 501 to 500 dstnat rule to change inbound packet's destination port.

But I think, an outbound packet's source port should be changed to 501 too. Is it possible?

It depends on whether you want to listen/send only at/from 501 or whether you want to discriminate between different peers with identical address and exchange-mode settings.

If you only want to change the standard port, as you've anticipated, the theory says that a src-nat of local port 500 to 501 in parallel to the dst-nat rule is also necessary at least one of the peers. Unless you specify which peer is the initiator and which is the responder, you need to set up both rules at both peers. The responder needs a dst-nat and initiator needs a src-nat.

The port in the peer settings it the one at which you expect the remote peer to listen. It is not possible to change local port where the peer listens, but you may use dst-nat and src-nat rules to redirect it.
However, doing so will force the peer mode into a NAT-T one so it nat-t must be set to yes (except if exchange-mode=ike2), and doing so will cost you some bandwidth of the tunnel as the ESP will be UDP-encapsulated.

And the actual transport will use port 4500. You could do a similar setup also to replace 4500 by e.g. 4501, but there is an issue that the RFC says that the peer must be ready to receive connections at port 4500 at once, without initiating the connection at port 500 first. So it si possible that some remote peers would try that, and such peers wouldn't connect.

Yes! Of course!

action=scr-nat

It works. Thank you!