Hi,
I’ve seen several questions about this situation of Mikrotik routers behind NAT devices not able to connect but there does not seem to be a correct or accepted answer.
MikT_A–Modem<------------------>Modem(Port forward 4500, 500)–MikT_B. I can only access Modem on side B and I’ve forwarded UDP 4500 and 500 to the Routerboard. I also set the routerboard at site A as passive and the one at site A as send initiate contact.
Phase 1 connects but phase 2 stays down with error no Phase 2.
The first question is if this setup is possible. I would have loved to port forward IPSEC to the Mikrotik at Site A, but I only have control at site B.
Such a setup is indeed possible. Post exports of both Mikrotik devices to get to the root cause of that “no Phase 2”. When obfuscating public IP addresses, take care so that all occurrences of the same public subnet are aliased the same, i.e. that the obfuscation does not break the relationship between the individual configuration elements. Don’t forget to obfuscate usernames to remote services, if you happen to use any.