Change default NAT-T port for IPsec tunnel?

RouterOS General
1

Default port for remote IPsec peer (500) can be changed. Is it possible to change the destination port for NAT traversal?

The situation: there is a Lancom router between two RB that already uses ports 500 and 4500 for it’s own clients (it’s a customer device, so I cannot change that behavior) :

RB1 <–lan–> Lancom <–internet–> RB2

And I need to establish IPsec tunnel between those routerboards, that can be configured. There are already two forwarded ports on the Lancom to RB1, but those differs from 500 and 4500. Is there any way to solve this? (Except for putting another RB in between and route the traffic). I have no idea if possible or how to change ports in outgoing traffic originating at the router itself.

2

Also it seems that RouterOS is unable to forward UDP 500 traffic using firewall-NAT-dstnat to another IP address. The following rule

add action=dst-nat chain=dstnat comment=“test” dst-port=500 protocol=udp to-addresses=192.168.1.63

just does not do anything and all UDP 500 traffic ends in input chain (and get logged by input firewall chain). Despite the packet flow diagram at https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6 where the packets should be processed by dstnat before reaching input. But it simply does not happenning :frowning:

Or am I missing something?