I tried to forward udp 500 and 4500 from mikrtotik to a fortigate firewall connected by pppoe username and password.
1st router ISP DMZ to Mikrotik to WAN1.
2nd router ISP DMZ to Mikrotik to WAN2.
So I have 2 public IPs.
Mikrotik is getting the internet from both by static IP.
Mikrotik is giving PPPOE server for clients.
By applying mangle rules and route tables I can specify each pppoe connection which wan to use.
and forwarding ports working fine with mikrotik clients.
and now I want to forward udp 4500 and 500 to 192.168.51.5 so they can connect site to site VPN fortigate to other fortigate outside of the network.
I tried :
1- adding dstnat from NAT.
2- adding forward form filter rules.
3- both 1 & 2.
Note: this client is using the first WAN.
but was not stable some times works by chance and if I disconnect it and try to connect same time and same configuration it does not work. I am really confused.
The problem in this case is usually in some (other) NAT device.
IPsec requires that the port numbers remain the same during the session.
When you have some router that does NAT on the traffic and it thinks it needs to setup a new session (e.g. because the previous one failed) and starts using a different port number than 500 for the translated traffic, everything breaks down.
That indeed often leads to very mysterious situations where the connection fails to come back up again, and sometime later it suddenly works again.
At least in the devices that you can control, make sure you make explicit mappings for port 500 and 4500 (separately) that keep the port number the same, not an automatic selection.
actually the fortigate VPN always requires these 2 ports to create the VPN Site to Site UDP(500 and 4500) and from the mikrotik I am forwarding it direct (from NAT as I mentioned before)
So,Based on my humble knowledge I was thinking it should work.
if you can guide me through the needed steps to solve the issue I will be thankful.
That (ipsec-esp) is not required when you do IPsec over a a NAT path. It will use only UDP port 500 (as usual for isakmp) and 4500 (instead of ESP protocol 50).