Hello everyone 
.
Can somebody help me with my IPsec-problem?
I want to establish an IPsec-Site2Site VPN-Tunnel between two MikroTik-Routers.
Both of the MikroTik-Routers are connected to NAT-Routers which
masquerade outbound-connections.
What do I have to consider when configuring?
Has anybody among you already done this?
Best Regards, MikroT20
Here is an example https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IPsec_tunnel
Notice, one of the two routers must not be behind NAT and act as the Responder…
I do not write much since the wiki page covers everything you need to know about IPsec… So make your first steps and in case you find difficulty in something let us know…
At first you need to research if you can configure one of those NAT-routers to have “open ports” or “DMZ setting” so you can allow incoming connections from the other one.
When this is not possible, e.g. because the ISP does not allow you to configure the routers or because they have their NAT inside their own network core (CGNAT) instead of or in addition to your local router, you cannot do what you want.
In that case there still is the option to have a router installed at some other place where there is no NAT, e.g. a VPS at a cloud provider, and connect both your sites to there and route the traffic via that extra hop, so both your NAT’ed sites only need to do outgoing connects.
When you can configure the NAT-routers, make a port forward for UDP ports 500 and 4500. It is best to do this at both sides when possible.
Then you can just make the standard IPsec setup as shown by Zacharias.
I would not use a Site2Site tunnel but instead would use a GRE/IPsec tunnel, but that is my personal preference and you can use Site2Site when you really want.