Community discussions

MUM Europe 2020
User avatar
Topic Author
Posts: 479
Joined: Wed Feb 24, 2016 5:19 pm

Site-to-site VPN through NAT and firewall on one side

Mon Jul 10, 2017 9:06 pm

Hi, I need to connect remote lab network to primary lab network over VPN using VM installed in primary network. I have full control over remote lab however primary lab network is part of huge corporate infrastructure and port forwarding is not an option as It'd require a lot of changes. So network scheme is more or less like this:

(remote lab) RouterOS CHR | KVM host | CCR1009 | RB2011 ---- INTERNET ---- <firewalls, NAT, scary shit> | ESXi host | RouterOS CHR (primary lab)

VMs on ESXi have internet access and lab network access however they're not exposed to WAN so connection has to be initiated by this site. CHR in remote lab can have ports forwarded as it's significantly simpler infrastructure. Is it possible to bridge those 2 networks? Preferably on L2 but if it's not possible / not good idea then L3 is fine as well.
Long time Member
Long time Member
Posts: 515
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Site-to-site VPN through NAT and firewall on one side

Mon Jul 10, 2017 9:30 pm

I'd use IPSec as underlying tunnel, with NAT-T mode enabled. NAT-T uses UDP port 4500 to encapsulate the IPSec packets making them NAT friendly. The primary side can be the initiator, so you only need to set up port forwarding on the remote site.

You can configure the policies so the IPSec tunnel is just a tunnel, not a site-to-site VPN. Then you can configure EoIP on both Mikrotiks to use this tunnel to create the L2 site-to-site VPN connection.

Who is online

Users browsing this forum: Bing [Bot], Nubbins and 33 guests