is it possible to configure IPsec tunel between MT1 and MT2 that are behind NAT, like here:
LAN1 ↔ MT1 ↔ NAT/firewall <---- WAN ----> NAT/firewall ↔ MT2 ↔ LAN2
If so, how is it possible?
It is possible, if you deny nat for that destination IPsec Peer, and allow nat for everything else.
Regards.
Faton
No no, please, consider carefuly, IPsec mikrotik router is behind the NAT router. And I see problem with configuration of sa-src-address and sa-dst-address. I should set up addresses of the NAT router and not addresses of my IPsec router. But in this way th IPsec tunel does not work. I get messages in LOG:
01:47:56 ipsec,info ipsec no sa found: proto=esp spi=256 src=x.y.z.163 dst=a.b.c.2
01:47:57 ipsec,warning incoming packet with unknown SPI
generally its not possible.
MAG !!
once you mentioned on the forum before about NAT-T. does this affect the IPsec too… we all know mikrotik doesn’t support this feature (hope in future does…)
Regards,
With Cisco I was able to configure nat and IPsec, so I have created an access list which deny ant for the IPsec peers, and allow nat for other destinations, but never tried with mikrotik, I don’t think it should be a problem.
regards.
Faton