IPsec NAT traversal

1001001 · November 23, 2016, 1:38pm

Hello everybody,

we ahve several request requesting IPsec tunnels thorugh our MikroTik routers. I’ve searched the forum but didn’t find anything specific pertainig to the problem.
A few topics talk about adding firewall rules in the forwad chain to allow traffic through port 500 4500 and the ip protocols 50 and 51 I tried the rules they don’t allow IPsec traffic through the router.
We tested with a sophos and cisco client both show the same timeout.

How do I achieve reliable IPsec passthrough through the NAT?

Thanks in advance!

Best Regards

1001001

1001001 · November 28, 2016, 8:12am

bump!!!

andriys · November 28, 2016, 11:53am

That should work just fine. Some items to check:

Make sure you allow UDP traffic. The ports are 500/udp and 4500/udp.
NAT-T should also be enabled on the VPN concentrator (though as I understand that is beyond your responsibility).
Allowing traffic to port 500/udp is always required.
You will only see traffic to port 4500/udp if NAT-T (IPsec NAT Traversal) is negotiated between initiator (VPN client) and responder (VPN server).
Likewise you will only see IP protocol 50 (ESP) traffic if NAT-T is NOT negotiated (i.e. disabled on either client, server, or both).
Protocol 51 (AH) is not needed for Cisco VPN Client to work. Not sure about Sophos.