Community discussions

MikroTik App
 
andrei
newbie
Topic Author
Posts: 27
Joined: Wed Oct 29, 2014 9:53 am

Mikrotik ipsec passthrough with NAT

Wed Feb 17, 2016 1:27 pm

I have an Mikrotik device with a public address on an interface and I need to allow a cisco router that connects to it to establish ipsec vpn(it requires udp 500, udp 4500, ipsec-esp).
I have done dst-nat from the public address to the local one(cisco router) and masquerading for the outgoing connection but still Cisco can't estabilsh ipsec connection.

Is there something I am not taking into account here for ipsec to work through the Mikrotik?
 
harrysl21
just joined
Posts: 6
Joined: Tue Jul 15, 2014 8:06 am

Re: Mikrotik ipsec passthrough with NAT

Fri Mar 04, 2016 4:14 am

PEER IPSEC >> INTERNET >> MIKROTIK >> CISCO

CMIIW, you need to create an ipsec connection using cisco device? why dont you use mikrotik as an ipsec vpn gateway?

if you want to use cisco as your VPN Gateway, you need to allow UDP connection 500, 4500, ipsec-esp, passthrough mikrotik firewall, and make sure cisco route via mikrotik.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik ipsec passthrough with NAT

Fri Mar 04, 2016 2:30 pm

Is there something I am not taking into account here for ipsec to work through the Mikrotik?
- Remove all the special measures you have taken from the MikroTik.
- Make sure the Cisco is configured to allow NAT-T.

Remember that "IPsec with NAT-T" is nothing like normal IPsec. It is not a separate protocol, it is just
UDP traffic on port 4500 just like any other user. It is handled by normal masquerading.

NAT-T only works with IPsec tunnel mode and using ESP. No transport mode, no AH.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6043
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Mikrotik ipsec passthrough with NAT

Fri Mar 04, 2016 4:27 pm

NAT-T only works with IPsec tunnel mode and using ESP. No transport mode, no AH.
Not really, L2TP/Ipsec is transport mode and works with no problems over NAT.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik ipsec passthrough with NAT

Fri Mar 04, 2016 9:41 pm

NAT-T only works with IPsec tunnel mode and using ESP. No transport mode, no AH.
Not really, L2TP/Ipsec is transport mode and works with no problems over NAT.
I have been trying to get GRE over IPsec transport work over NAT-T and have not been successful.
GRE over IPsec transport works OK without NAT both with ESP and with AH, and also IPsec/ESP tunnel over
NAT-T works OK. IPsec/AH tunnel does not work over NAT-T.

Do you think it is possible to do GRE over IPsec/ESP transport over NAT-T?
If so, how to configure it in GRE Tunnel, IPsec Policy and IPsec Peer?
 
andrei
newbie
Topic Author
Posts: 27
Joined: Wed Oct 29, 2014 9:53 am

Re: Mikrotik ipsec passthrough with NAT

Mon Mar 07, 2016 11:09 am

PEER IPSEC >> INTERNET >> MIKROTIK >> CISCO

CMIIW, you need to create an ipsec connection using cisco device? why dont you use mikrotik as an ipsec vpn gateway?

if you want to use cisco as your VPN Gateway, you need to allow UDP connection 500, 4500, ipsec-esp, passthrough mikrotik firewall, and make sure cisco route via mikrotik.
I am not using mikrotik asa a vpn gw because its purpose is to be a backup gateway for the Cisco router. All ipsec configuration is on the Cisco router. Also I do not have access to Cisco router. Config is done by a client and they want to use their own router.

From what I know they are trying to do have DMVPN config running. They said they have it running now.(don't know what they did).
 
andrei
newbie
Topic Author
Posts: 27
Joined: Wed Oct 29, 2014 9:53 am

Re: Mikrotik ipsec passthrough with NAT

Mon Mar 07, 2016 12:35 pm

NAT-T only works with IPsec tunnel mode and using ESP. No transport mode, no AH.
Not really, L2TP/Ipsec is transport mode and works with no problems over NAT.
I have been trying to get GRE over IPsec transport work over NAT-T and have not been successful.
GRE over IPsec transport works OK without NAT both with ESP and with AH, and also IPsec/ESP tunnel over
NAT-T works OK. IPsec/AH tunnel does not work over NAT-T.

Do you think it is possible to do GRE over IPsec/ESP transport over NAT-T?
If so, how to configure it in GRE Tunnel, IPsec Policy and IPsec Peer?
I have tried to run GRE over an nated connection(one end) and it worked.
BUT it only worked if you encrypt all protocols in the policy settings not only protocol 47.
It is unclear to me why this is, if it is a bug or there is something I am missing..
 
pe1chl
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik ipsec passthrough with NAT

Mon Mar 07, 2016 6:55 pm

You probably did GRE over IPsec in tunnel mode (with ESP) and then enable NAT.
This works ok, indeed.
But the default when setting up GRE over IPsec is transport mode and this does not work over NAT as far as I know.

Of coures GRE over IPsec in tunnel mode and then over NAT-T adds a terrible amount of overhead :-(

For now, I use GRE immediately over NAT without IPsec. Not encrypted but that is not required in this case.
Some more authentication would be nice.
 
andrei
newbie
Topic Author
Posts: 27
Joined: Wed Oct 29, 2014 9:53 am

Re: Mikrotik ipsec passthrough with NAT

Mon Mar 07, 2016 9:24 pm

No, I did GRE IPsec in transport mode(default mode) and it worked with the issue I mentioned.
 
j23
just joined
Posts: 3
Joined: Thu Sep 22, 2016 11:08 pm

Re: Mikrotik ipsec passthrough with NAT

Fri Sep 23, 2016 2:29 am

Hi, as your issue resolved?
 
pe1chl
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik ipsec passthrough with NAT

Thu Nov 17, 2016 2:54 pm

No, I did GRE IPsec in transport mode(default mode) and it worked with the issue I mentioned.
I have finally found what confused me with IPsec in combination with NAT.
The issue is this: GRE or IPIP or L2TP over IPsec in transport mode can work over NAT, but it will NOT use the NAT-T
protocol in that case. Only IPsec with ESP in tunnel mode uses NAT-T.
NAT-T is the encapsulation of ESP packets in another layer of UDP (port 4500).

When the NAT router you need to traverse does not NAT the raw ESP packets sent when using IPsec without NAT-T,
the connection does not work. And *that* is what has been my problem all the time. It can be avoided by forcing
IPsec tunnel mode with NAT-T. I now have another installation with different NAT router than usual, it allows NAT
of ESP traffic, and it works with GRE-over-IPsec transport without NAT-T. (of course saving some overhead)
 
andriys
Forum Guru
Forum Guru
Posts: 1353
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Mikrotik ipsec passthrough with NAT

Thu Nov 17, 2016 3:37 pm

The issue is this: GRE or IPIP or L2TP over IPsec in transport mode can work over NAT, but it will NOT use the NAT-T
protocol in that case. Only IPsec with ESP in tunnel mode uses NAT-T.
ESP is used to encapsulate traffic in both tunnel and transport mode. RFC3948 ("UDP Encapsulation of IPsec ESP Packets") covers both tunnel and transport mode, and so NAT-T should work equally good for both tunnel and transport mode IPsec.

PS. NAT-T implementation in RouterOS used to be half-baked up until 6.38rc24, but now the situation is getting better.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik ipsec passthrough with NAT

Thu Nov 17, 2016 5:49 pm

Did you see what is written on page 5? Probably that checksum fiddling is not implemented...

When 6.38 gets released I will again try to see if I can get GRE over IPsec transport working in a NAT router
that does not pass and return ESP. previously, I have been unable to do so until I made a manual config
that uses GRE over IPsec tunnel + NAT-T.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 70 guests