IPSec "Gotcha" List

HOW I MISS OPEN VPN!!!

Now that I got that out of my system.

Is there a list of all the quirks about Mikrotik’s use of ipsec?

Things so far.
If you have to DMZ your router and don’t have a public IP at the Mikrotik. l2tp Ipsec vpn fails from external clients.

If you are VPNing to a router with a public IP address… from some cellular providers. l2tp IPSEC fails.

If you have 2 subnets on you router that you want to have policies for… and you are coming from a firebox (I think that is what the other side IT guy said)…
You have to have the policies work on different WAN IPs on the TIk???
If you had say network 192.168.101.0/24 and 172.16.16.0/24 on your TIK and are connecting Ipsec tunnels… I could get one or the other to pass.
Fortunatly… I had a block of static IPs for the Tik. So I used 1 WAN IP for each policy. Problem solved.

/ip ipsec policy
add comment="Hardware Site2Site" dst-address=172.20.3.0/24 proposal=Watchbox \
    sa-dst-address=xxx.xxx.xxx.1 sa-src-address=xxx.xxx.xxx.97 src-address=\
    192.168.101.0/24 tunnel=yes
add comment="Main Network Site2Site" dst-address=172.20.3.0/24 proposal=\
    Watchbox sa-dst-address=xxx.xxx.xxx.1 sa-src-address=xxx.xxx.xxx.98 \
    src-address=172.20.4.0/24 tunnel=yes

Sounds like a NAT transversal issue. Remember a lot of cellular ISPs are using NAT technologies to provide IPv4 access. Most of the US mobile carriers have gone IPv6 and will push you through NAT-lite or NAT64. A quick way to test would be to use a hostname instead of an IP address on the client and make sure NAT-T is enabled on the IPSec peer entry on the MikroTik.

An alternative. Deploy IPv6 to your MikroTik, either native from your upstream or from a tunnel broker like he.net. Run your IPSec over IPv6 and win the Internet while not using NAT. (Ignore the NAT66 nerds)

1. You have to forward ports to the server (exactly the same as for any other server).
2. As mentioned already most likely NAT-T is not enabled
3. You have to set level=unique