IPSEC and one side behind NAT

RouterOS Beginner Basics
1

Hello!
I have a problem with configuration of IPSEC: client side is behind NAT (and I don’t have control about it), server side is RouterOS CHR installed on VPS with public IP.
The connection is established (remote peer appears), but the Installed SAs tab is empty.
Is the conectivity possible with this scenario?

Server:

/ip ipsec mode-config
add address-pool=pool_IPSEC address-prefix-length=16 name=configIPSEC
/ip ipsec policy group
add name=cliPSEC
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1h pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-128 exchange-mode=aggressive generate-policy=port-strict local-address=0.0.0.0 mode-config=configIPSEC \
    passive=yes policy-template-group=cliPSEC secret=123
/ip ipsec policy
add dst-address=0.0.0.0/0 group=cliPSEC src-address=0.0.0.0/0 template=yes

Client:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1h pfs-group=none
/ip ipsec peer
add address=[i]<MyVPS address>[/i] disabled=yes enc-algorithm=aes-128 exchange-mode=aggressive generate-policy=port-strict mode-config=\
    request-only secret=123
2

First you need to enable nat-t.

Then SAs will be generated only when ipsec will see traffic that match addresses in ipsec policies.

3

Let’s try more simple. I’ve created L2TP tunnel and have connectivity on both sides.
When I set ‘use IPsec’ on server and set password, than click the same on client (Dial out tab), there is no communication.
Allowed ports on firewall 1701/udp, 500,4500/udp, and ipsec-esp (input chain).

Could you please help me with it?

4

… another day, another progress :slight_smile:

L2TP tunnel and configured IPSEC peer on VPS (auth method: pre shared key, exhange mode: main l2tp) with dynamic policy generation, allowed me to connect build-in Windows 7 client. Success!

but there was another problem: RB951Ui was not connecting, to L2TP tunnel with IPSEC.
The problem was the fact that I tryied to configure IPsec Peer (IP → Ipsec) on client device.
I’ve discovered that mentioned above pre shared key should be placed in PPP → L2TP client interface on Dial out tab. Another success: it works!

Tell me please (anybody) :slight_smile:; how to combine RSA signatures with that L2TP client ??
And how to handle multiple road warriors with dynamic (mostly not even public!) IP addresses, if ROS limitation to only one 0.0.0.0/0 peer ??