IPsec - client behind NAT

RouterOS General
1

Hello!

Please help me to set up IPsec connection between 2 MT devices or MT (client) and Strongswan (server).
Server has static public IP address
Client has public dynamic address, but all connections are NATed
For example, PPPoE connection on client router gets IP address 100.64.37.102, but when it connects to main router, connection comes from 121.32.126.242
PPTP and L2TP connections is not stable, they are being filtered and shaped (client located in China), in some places they even block it. OpenVPN is completely filtered.
The only option is IPsec (IKEv2). I have Strongswan server on Ubuntu VM and it works well when I connect with Windows, iOS or Android Strongswan app

I don’t have any issues setting up IPsec between 2 MT devices with static public IPs, but with dynamic NATed address I don’t even have a clue where to begin.

I tried to connect to Strongswan server

MT client config:

/ip ipsec peer
add address=xxx.xxx.xxx.13/32 exchange-mode=ike2 generate-policy=port-strict my-id=user-fqdn:aaa@bbb.ccc.org secret=yyyyyyyyyyyyy

Strongswan config:

~$ cat /usr/local/etc/swanctl/swanctl.conf
connections {
    ikev2-eap {
        local {
            auth = pubkey
            certs = bbb.ccc.org.crt
            id = bbb.ccc.org
        }
        remote {
            auth = eap-radius
            eap_id = %any
        }
        children {
            net {
                local_ts  = 0.0.0.0/0
                esp_proposals = aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024-ecp256,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024-ecp256,aes128-sha1-ecp256,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-ecp256,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1
                rekey_time = 30m
                dpd_action = restart
            }
        }
        mobike = yes
        fragmentation = yes
        encap = yes
        dpd_delay = 35s
        proposals = aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024-ecp256,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024-ecp256,3des-sha1-modp1024
        pools=vpnguests
        send_cert=always
        }
    ikev2-psk {
        local {
            auth = psk
            id = bbb.ccc.org
        }
        remote {
            auth = psk
        }
        children {
            net {
                local_ts  = 0.0.0.0/0
                esp_proposals = aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024-ecp256,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024-ecp256,aes128-sha1-ecp256,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-ecp256,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1
                rekey_time = 30m
                dpd_action = restart
            }
        }
        mobike = yes
        fragmentation = yes
        encap = yes
        dpd_delay = 35s
        proposals = aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024-ecp256,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024-ecp256,3des-sha1-modp1024
        pools=vpnguests
        version = 2
        }

}

secrets {
    ikev2-psk
    {
        id = aaa@bbb.ccc.org
        secret = yyyyyyyy
    }
}
pools {
    vpnguests
    {
        addrs=10.1.0.0/16
        dns=8.8.8.8
        dns=4.2.2.1
    }
}

Strongswan log output:

14[NET] <2057> received packet: from 121.32.126.242[23808] to xxx.xxx.xxx.13[4500] (304 bytes)
14[ENC] <2057> parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
14[IKE] <2057> 121.32.126.242 is initiating an IKE_SA
14[IKE] <2057> remote host is behind NAT
14[IKE] <2057> sending cert request for "CN=xxxxxxxxxxxx"
14[ENC] <2057> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
14[NET] <2057> sending packet: from xxx.xxx.xxx.13[4500] to 121.32.126.242[23808] (337 bytes)
13[NET] <2057> received packet: from 121.32.126.242[23808] to xxx.xxx.xxx.13[4500] (476 bytes)
13[ENC] <2057> parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr N(USE_TRANSP) ]
13[CFG] <2057> looking for peer configs matching xxx.xxx.xxx.13[%any]...121.32.126.242[aaa@bbb.ccc.org]
13[CFG] <ikev2-psk|2057> selected peer config 'ikev2-psk'
13[IKE] <ikev2-psk|2057> authentication of 'aaa@bbb.ccc.org' with pre-shared key successful
13[IKE] <ikev2-psk|2057> authentication of 'bbb.ccc.org' (myself) with pre-shared key
13[IKE] <ikev2-psk|2057> IKE_SA ikev2-psk[2057] established between xxx.xxx.xxx.13[bbb.ccc.org]...121.32.126.242[aaa@bbb.ccc.org]
13[IKE] <ikev2-psk|2057> scheduling rekeying in 13974s
13[IKE] <ikev2-psk|2057> maximum IKE_SA lifetime 15414s
13[IKE] <ikev2-psk|2057> expected a virtual IP request, sending FAILED_CP_REQUIRED
13[IKE] <ikev2-psk|2057> configuration payload negotiation failed, no CHILD_SA built
13[IKE] <ikev2-psk|2057> failed to establish CHILD_SA, keeping IKE_SA
13[CFG] <ikev2-psk|2057> sending RADIUS Accounting-Request to server '10.vvv.vvv.100'
13[CFG] <ikev2-psk|2057> received RADIUS Accounting-Response from server '10.vvv.vvv.100'
13[ENC] <ikev2-psk|2057> generating IKE_AUTH response 1 [ IDr AUTH N(FAIL_CP_REQ) ]
13[NET] <ikev2-psk|2057> sending packet: from xxx.xxx.xxx.13[4500] to 121.32.126.242[23808] (124 bytes)

MT client log output:

13:44:27 ipsec,info new ike2 SA (I): 100.64.37.102[4500]-xxx.xxx.xxx.13[4500] spi:8a16bb255166afb0:0d8b6e61de2bdf95 
13:44:27 ipsec,info peer authorized: 100.64.37.102[4500]-xxx.xxx.xxx.13[4500] spi:8a16bb255166afb0:0d8b6e61de2bdf95

The peer is authorized, so what to do next?

When I try to connect MT to MT:
MT client config:

/ip ipsec peer
add address=xxx.xxx.xxx.21/32 auth-method=rsa-signature certificate=cert_export_ccc_ccccc.crt_0 disabled=yes exchange-mode=ike2 generate-policy=port-strict

MT server config:

/ip pool add name=rw-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec policy
set 0 level=unique dst-address=192.168.77.0/24
/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=cfg1 split-include=192.168.77.0/24
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=bbb.nnn.org exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 passive=yes

MT client log:

14:38:52 ipsec,info new ike2 SA (I): 100.64.37.102[4500]-xxx.xxx.xxx.21[4500] spi:f47e532c3955771d:6390fccaa26a41d6 
14:38:52 ipsec,info peer authorized: 100.64.37.102[4500]-xxx.xxx.xxx.21[4500] spi:f47e532c3955771d:6390fccaa26a41d6

MT server log:

14:38:51 ipsec,info new ike2 SA (R): xxx.xxx.xxx.21[4500]-121.32.126.242[23808] spi:6390fccaa26a41d6:f47e532c3955771d 
14:38:52 ipsec,info peer authorized: xxx.xxx.xxx.21[4500]-121.32.126.242[23808] spi:6390fccaa26a41d6:f47e532c3955771d

What should be my next step? How to establish tunnel? How can client MT get IP address? Please help

2

My favorite mode of IPsec operation is to use a tunnel interface (L2TP, IPIP, GRE) over IPsec transport, then
use a routing protocol (BGP) to automatically route the endpoint subnets over the tunnel.
This is far easier to manage than with an IPsec tunnel configured directly in the policy.
With L2TP/IPsec I use a custom peer definition that is less strict than the default because in my experience
the default (port-strict) does not work over double NAT. So I use port-override in a peer definition and omit
the IPsec config in the L2TP server:
/ip ipsec peer
add enc-algorithm=aes-128 generate-policy=port-override local-address=
11.22.33.44 passive=yes secret=dfkhghajdfgkjasdgfu

3

Agree with that, but first, you have to establish IPsec connection, after that you can you any tunnel you want. I’m stuck at this step

Doesn’t help. If you have static public IP everything works fine. I have managed to establish IPsec connection and IPIP tunnel.
But in case of chinese NAT - it simply does not work. Peer is authorized, address assigned, but policies not generated and client doesn’t acquire IP address.

I can’t understand that, because if I connect to my StrongSwan VM (using Android or Windows client software) with same double NAT - everything works fine! So, I hope there should be some workaround