Community discussions

MikroTik App
 
garikello
just joined
Topic Author
Posts: 1
Joined: Sat Feb 27, 2021 10:18 pm

IPSEC switches to NAT-Traversal if set to IKE2

Sat Feb 27, 2021 10:36 pm

Hi All.
I've installed a fresh 6.22.3 RouterOS (actually, as Cloud hoster router). Trying to initiate an IPSEC connection with Palo Alto firewall.
What make me sad is that I cannot force Mikrotik to turn off NAT-Traversal when working in IKE2 mode.

Specifically:

1. My IPSEC profile. Note that nat-traversal is off.
/ip ipsec profile print
...
 1   name="my_profile" hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128 
     dh-group=ecp384,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024 lifetime=1d proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5 
2. My IPSEC peer. I want to use IKE2.
/ip ipsec peer print    
 0     name="my_peer" address=185.61.0.1/32 local-address=185.61.0.2 profile=my_profile exchange-mode=ike2 send-initial-contact=no
What I see is that Mikrotik keeps sending IKE2 requests using UDP 4500 port, instead of 500.

If I change exchange-mode to main, then it starts using 500 port, but switches to IKEv1 which I don't want.

Does anyone have ideas?
 
txfz
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Tue Mar 10, 2020 9:02 am

Re: IPSEC switches to NAT-Traversal if set to IKE2

Fri Mar 12, 2021 5:34 pm

I've just encountered this phenomenon too while trying to figure out which filter rules are required to get IPsec going. RouterOS 6.47.1.

I've found that NAT traversal cannot be disabled when IKEv2 is used. I don't know why, or whether that makes sense.

The docs' got this:
Parameters that are ignored by IKEv2 proposal-check, compatibility-options, lifebytes, dpd-maximum-failures, nat-traversal.
https://help.mikrotik.com/docs/display/ ... Psec-Peers

Then the change log for 6.38.1 has got this:
*) winbox - hide "nat-traversal" setting in IPsec peer if IKEv2 is selected;
which, at least in current RouterOS versions, doesn't make sense, because the only place the NAT traversal option is found is under IPsec profile, and it's there regardless of the exchange mode used. Probably because a profile is not dependent on a peer. (only the other way around)

And then finally, 6.41 has this:
*) ike2 - do not allow to configure nat-traversal;
which, well.. see the point above.

Who is online

Users browsing this forum: Google [Bot], itsbenlol and 28 guests