MikroTik

Hi, I need to connect remote lab network to primary lab network over VPN using VM installed in primary network. I have full control over remote lab however primary lab network is part of huge corporate infrastructure and port forwarding is not an option as It'd require a lot of changes. So network scheme is more or less like this:

(remote lab) RouterOS CHR | KVM host | CCR1009 | RB2011 ---- INTERNET ---- <firewalls, NAT, scary shit> | ESXi host | RouterOS CHR (primary lab)

VMs on ESXi have internet access and lab network access however they're not exposed to WAN so connection has to be initiated by this site. CHR in remote lab can have ports forwarded as it's significantly simpler infrastructure. Is it possible to bridge those 2 networks? Preferably on L2 but if it's not possible / not good idea then L3 is fine as well.

I'd use IPSec as underlying tunnel, with NAT-T mode enabled. NAT-T uses UDP port 4500 to encapsulate the IPSec packets making them NAT friendly. The primary side can be the initiator, so you only need to set up port forwarding on the remote site.

You can configure the policies so the IPSec tunnel is just a tunnel, not a site-to-site VPN. Then you can configure EoIP on both Mikrotiks to use this tunnel to create the L2 site-to-site VPN connection.