Hey experts!

We've come across NAT-T issue on RB951Ui-2HnD when it comes to Ipsec.

The following network setup is used:
StrongSwan-based Ipsec appliance (client) -- RB951Ui-2HnD -- Public Internet -- Ipsec Termination Device / Router.

Client device establishes three Ipsec tunnels towards three different IKE endpoints.
Though one tunnel fails to establish. On client and server I observe that IKE phase 1 succeeds, however neither client or server is getting ingress traffic on this faulty tunnel.
IKE DPD timeout kicks in and tunnel gets cleared eventually.

#
Once we change RB951 to bridged mode, client brings up 3 tunnels right away!
We've built a lab testbed and observed similar behavior when NAT device doesn't implement Endpoint Independent Filtering according to RFC4787.
Could this be the case?

Any clue is much appreciated. thanks in advance!
I'll get back with further details (such as RouterOS version).

thanks
Evgeny

Up!