No luck with L2TP IPsec but same issue with GRE IPsec

I’m giving up with my issue about L2TP/IPsec as per my previous post : http://forum.mikrotik.com/t/l2tp-ipsec-is-driving-me-crazy/96404/1

Anyway , I have the same issue securing GRE tunnel using IPsec (as per native IPsec section in GRE configuration) :

The connecting peers have DYNAMIC ip adresses that change time to time
So a dynamic IPsec policy is created when client connects

Whats’ the problem ?

Mikrotik device has its WAN interface connected behind a DSL router 1:1 natted back to MT to make MT itself to be “virually” on the public side (static public ip adress):

Mikrotik(10.0.0.2)-----(10.0.0.1)DSL_ROUTER(1.2.3.4)-------internet--------(5.6.7.8 ) CLIENT
|___<<<1:1nat<<<|

The automatically created IPSec policy, doesn’t really reflect the installed SA

[1.2.3.4 – 5.6.7.8] policy doesn’t match the [10.0.0.2 – 5.6.7.8] SA

So IPsec fails

No luck with NAT-T or not,
It works if [10.0.0.2 – 5.6.7.8] policy is created manually, but 5.6.7.8 is dynamic !!!

I suppose this is a known issue,
Is there anyone help me in solving this (if really solvable…) ???

Thank you very much

It is correct, you cannot use those simplified IPsec configs directly under the interface tab when you
do not have a static IP address.

That’s the answer i was waiting for…

If one know a “roadwarrior” cannot establish an IPsec connection with a MT behind any type of nat, one can avoid to waste its time in useless tests…

Anyway, MT knows the initiator IP address, the responder IPaddress (DSL line) and its WAN IP address
It shouldn’t be such an inpossible thing to generate the correct policy(ies) to allow this type of traffic…

Mikrotik staff: should it be included in MT wishlist ???

I was thinking about a script to generate a second dynamic policy once the first one has taken place.

Do you think it is possible ?? ( I’m absolutely a noob in scripting…)

Or…adding the DSL line public ip address as secondary in MT wan interface to fool some way the policy generation process ???