IPSEC: Mikrotik+Linux Openswan over NAT-T

RouterOS General
1

Hi All!

For the last week or so Ive been trying different linux IPSec packages and various ways of getting it running. I have managed to get a IPsec link to do the IKE negociation & make the log files say that everything is ok. However I cant send traffic from the mikrotik network to the linux network. Traffic does arive to the host but never comes back. If I look at the installed SA on the mikrotik the incoming one isnt matching any bytes. I think the problem is that the SA src on the mikrotik is a private IP address (VPN runs between two different countries).

My setup is that my ISP gives me a private IP for external and does 1:1 Natting on it. Traffic does flow but I think when the linux server tries to send back to the mikrotik it sends to the private IP and never returns back. If I specify my ISP’s NAT’d internet IP address in the SA src on Mikrotik the IKE packets never reach the linux server.

I really hope someone can help me :slight_smile:

Here is my config for both sides.

MikroTik:
add auth-algorithms=md5,sha1 disabled=no
enc-algorithms=des,3des,aes-128,aes-192,aes-256 lifetime=30m name=“default”
pfs-group=none
/ip ipsec peer
add address=LINUX_SERVER_IP/32:500 auth-method=pre-shared-key dh-group=modp1024
disabled=no enc-algorithm=3des exchange-mode=main generate-policy=no
hash-algorithm=md5 lifebytes=0 lifetime=8h nat-traversal=yes
proposal-check=obey secret=“MY_KEY” send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.8.35.0/24:any ipsec-protocols=esp
level=require manual-sa=none priority=0 proposal=default protocol=all
sa-dst-address=LINUX_SERVER_IP sa-src-address=10.50.77.68
src-address=10.10.10.0/24:any tunnel=yes


Linux OpenSWAN:

version 2

config setup
interfaces=“ipsec0=eth1”
nat_traversal=yes
uniqueids=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12

conn hqvpn
authby=secret
right=MIKROTIK_PUBLIC_ISP_NATD_IP
rightsubnet=10.10.10.0/24
rightid=10.50.77.68 (This has to be here else I get errors like " we require peer to have ID ‘MIKROTIK_PUBLIC_ISP_NATD_IP’, but peer declares ‘10.50.77.68’")
left=LINUX_SERVER_IP
leftsubnet=10.8.35.0/24
auto=start
pfs=no
type=tunnel

Thanks Alot!