I’m trying to setup an IPSEC connection on a routerboard that’s behind a NAT gateway. I know this is not the ideal setup but I have no choice. The internet provider is only providing me with a 1/1 nat mapping of an external ip to an internal one.
The routerboard should initiate the IPSEC connection to a Cisco PIX that’s not under my control but is being managed by a 3th party. I verified with them that NAT-T is activated and not firewalled on their side.
On the routerboard I activated NAT traversal on the IPSEC peer but it’s not clear what I should fill in as SA src address on the IPSEC Policy. Should this be the internal address that’s assigned to the routerboard or should I put here the external address that’s being mapped 1/1 by the provider (but is not assigned to any local interface) ?
When I put the internal address as SA src address I can see the routerboard trying to setup the IPSEC connection but Phase 1 fails saying that NAT-D payload #0 doesn’t match.
When I try the same setup but using an internetconnection where I have a public IP assigned to the routerboard not using NAT everything works fine.
I’m trying to do something similar, did you get a solution?
Also, I have added ipsec,debug,packet to /system logging, but am not getting any useful information (actually not getting any at all!) what am I missing there?
I’m using that setup, but the VPNHub is Mikrotik too, not Cisco, so I can’t help you with that side.
You should map both UDP500 and IPSec-ESP (IP protocol 50) from the external IP to the internal one. If using 1to1 nat, make sure that ESP is forwarded too, not just TCP/UDP.
In the Policy, use the Mikrotik internal IP address as the SA Src. Address and the external remote IP as SA Dst. Address. IPSec protocol must be ESP and “tunnel” must be checked. For the Peer configuration, I don’t have “NAT Traversal” checked. I read somewhere that “NAT Traversal” was used just to “force” the NAT router to autocreate IPSec nat rules on the natting router (DSL, Cable, etc) without opening ports on them… maybe I’m wrong, but I just don’t need that thing to make it work
Also, make shure that you are using exactly the same security protocols for the IPSec negotiation on both ends of the tunnel.
