My ISP probably limits the bandwidth for ipsec-esp packets. But if i turn on force UDP encapsulation, then the speed is not cut, checked on FREEBSD + StrongSwan. I want to make Mikrotik think that he is behind NAT. As far as I understand it is necessary to transfer the outgoing traffic from 500 ports to any other port by src-nat and i need block incoming traffic to the 500 port. Then encapsulation should be enabled automatically. But I can not do it. I can not apply src-nat to outbound traffic from 500 port. Please help.
I played with it a little and it’s not too hard. It didn’t want to work reliably when I was just messing up the connection by changing or blocking ports, but it works when I do this on one side:
/ip ipsec peer
add address=<remote address> local-address=<local private address> ...
/ip ipsec policy
add action=encrypt dst-address=<remote address>/32 src-address=<local private address>/32 tunnel=no ...
/ip firewall nat
add action=src-nat chain=srcnat src-address=<local internal address> src-port=500,4500 to-addresses=<local WAN address>
/ip firewall filter
add action=reject chain=input connection-state=new dst-port=500 protocol=udp reject-with=icmp-port-unreachable
In other words, I put local IPSec peer behind real NAT. Local private address can be router’s LAN address, or you can add a dedicated /32 one somewhere. I don’t claim it’s 100%, but so far everything uses port 4500 and IPSec seems happy. But it screws up things for transport mode IPSec, because now policy does not include and there would have to be another NAT rule to srcnat traffic from to as from , so that IPSec could catch it and encrypt. It wouldn’t be so bad with tunnel mode.
You can try asking MikroTik support, if they would like to add option to force NAT-T. They are making many IPSec improvements lately, it should be useful, and other vendors have it, so it looks like a good new feature for RouterOS too.
thanks for the answer.
I made the configuration using the local address of the router (192.168.90.1 attached to ethernet3). As a result, encapsulation really turned on. I even sniff a few packets and it really uses encapsulation. However, the throughput of the encrypted channel has significantly dropped, sometimes 10 times slower than it was.
/ip ipsec policy> print
2 A src-address=192.168.90.0/24 src-port=any dst-address=192.168.120.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.90.1
sa-dst-address=185.18.x.x ...
/ip ipsec peer> print
1 address=185.18.x.x/32 local-address=192.168.90.1
auth-method=pre-shared-key
secret="xxxxxx"
generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes
proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128 ...
/ip firewall nat> print
0 chain=srcnat action=accept src-address=192.168.90.0/24 dst-address=192.168.120.0/24 log=no
1 chain=srcnat action=src-nat to-addresses=146.y.y.y protocol=udp src-address=192.168.90.1 src-port=500,4500 log=no
I have a few questions:
- I’m using tunnel mode, does it change anything?
- /ip ipsec policy
add action=encrypt dst-address=/32 src-address=/32 tunnel=no …
do I have to specify the remote external address (185.18.x.x) or local address of the remote network (192.168.120.1)?
- in the case of the additional nat rule , I too have a little confusion now. Can you write the nat rule with the addresses, please?
Thank you
As far as I know, NAT-T should encapsulate ESP packets in UDP, so it will limit maximum inside packet size a little. Maybe it’s a fragmentation problem then? Unfortunately, I’m not very good with those.
About the questions, tunnel mode is better here, because policy stays the same, localnet ↔ remotenet. If you had it wrong, it wouldn’t work at all.
And you don’t need additional NAT rule, it would be only for transport mode, because by default the router would choose WAN address to communicate with the other router, but that would not match the policy.
Many thanks.
The packet size can be reduced only on the physical interface or i need change it on a client pc?