What I’m trying to do is make Mikrotik completely transparent for VPN traffic which is being sent from Cisco 891FW to external VPN device. I can confirm that Cisco 891FW is able to get IP address from DHCP (VLAN123) and can reach Internet but VPN tunnel cannot be established.
Below is my partial configuration:
;;; MASQUERADE FOR VLAN123
chain=srcnat action=masquerade src-address=192.168.254.0/30
out-interface=WAN log=no log-prefix=""
The masquerade rule triggers on packets sent by the Cisco towards the internet and creates “connections” based on them, but none of the “/ip firewall filter” rules you’ve listed permits member packets of established connections to pass through in the opposite direction
if the IPsec connection is not initiated by that Cisco but by the opposite peer, the /ip firewall filter rules you’ve provided would accept packets for that Cisco but they do not ever get any for treatment because a dst-nat rule in the /ip firewall nat would have to be present for each of the three protocols (and port in the UDP case)
the AH packets can pass through NAT but the recipient won’t accept them because their integrity check fails, so
either the Cisco is really using raw IPSec and then there must be no NAT between the peers, period,
or the Cisco is actually using IPsec over UDP (NAT-T extension with IKEv1 or native part of IKEv2), but in that case, the only packets you need to tunnel are UDP ones, and in such case a working masquerade (or src-nat in general) rule together with a filter rule as per point 1. above is enough to make it work if this Cisco initiates the connection. If it should act as a passive recipient, you have to port-forward (using a dst-nat rule) and permit UDP ports 500 and 4500 all the way from the public address to this Cisco.
If you use the flavour of IPsec which does support NAT, it doesn’t matter how many NATs happen between the public address and the actual peer on each side. You tell each peer the public address of the remote end and that’s it.
