Issue with IPSec between NATed Mikrotik and Cisco router

reiser4 · November 27, 2019, 5:20am

Hello,
I am facing a problem with a RB760iGS I just bought.

I have created an IPSec site-to-site VPN between this Mikrotik and a Cisco router.
The Mikrotik is behind a NAT, set up as DMZ, so it has a private LAN interface (192.168.88.0/24) and a WAN interface with private IP (192.168.1.5). Its gateway is 192.168.1.1.

Then the Cisco has its own public IP address.
When I establish the IPsec tunnel, the problem is that the Mikrotik sends the packet with the 192.168.1.5 address inside, so on the Cisco side the policy did not match. I needed to ask them to change the policy, as stated in this article:
https://community.cisco.com/t5/security-documents/l2l-vpn-troubleshooting-quot-ipsec-policy-invalidated-proposal/ta-p/3115635

After this change, the IPsec tunnel is working fine, but they don’t want to keep this setting.

Can you please help me? How can I change the local peer address on Mikrotik side, so in ipsec packet it sends its own public static IP address (87.27.x.y) instead of its own address on the WAN interface (192.168.1.5)?
I tried to set it as a “local address” into ipsec PEER config but it’s causing an error in the log. Also if I set it into the policies it will not establish the phase2 anymore.

Thanks

sindy · November 27, 2019, 8:00am

Unlike in the case of NAT, peer’s local-address must be one of Mikrotik’s own ones. So you have to create a bridge interface with no member ports at the Tik and attach the public IP address to it as a /32 one. Once you do that, you’ll be able to set it as local-address of the peer.

If the Cisco may act as initiator, and/or to deal with restarts etc., you have to add also a dst-nat rule, changing the dst-address of incoming connections from the received 192.168.1.5 to the public IP.

But all this will work only if the NAT device between the Mikrotik and the internet can forward ESP packets. If the IPsec peers do not detect NAT, they send ESP directly to each other’s address rather than encapsulating it into UDP. And as ESP has no notion of ports, a NAT can only deal with a single ESP stream per remote IP at its public side, so some NATs may not deal with it at all, even in the 1:1 NAT (DMZ) mode you seem to be using.