Community discussions

MUM Europe 2020
 
1001001
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 70
Joined: Mon Sep 24, 2012 12:46 pm

IPsec NAT traversal

Wed Nov 23, 2016 3:38 pm

Hello everybody,

we ahve several request requesting IPsec tunnels thorugh our MikroTik routers. I've searched the forum but didn't find anything specific pertainig to the problem.
A few topics talk about adding firewall rules in the forwad chain to allow traffic through port 500 4500 and the ip protocols 50 and 51 I tried the rules they don't allow IPsec traffic through the router.
We tested with a sophos and cisco client both show the same timeout.

How do I achieve reliable IPsec passthrough through the NAT?

Thanks in advance!

Best Regards

1001001
 
1001001
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 70
Joined: Mon Sep 24, 2012 12:46 pm

Re: IPsec NAT traversal

Mon Nov 28, 2016 10:12 am

bump!!!
 
andriys
Forum Guru
Forum Guru
Posts: 1193
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: IPsec NAT traversal

Mon Nov 28, 2016 1:53 pm

A few topics talk about adding firewall rules in the forwad chain to allow traffic through port 500 4500 and the ip protocols 50 and 51 I tried the rules they don't allow IPsec traffic through the router.
We tested with a sophos and cisco client both show the same timeout.
That should work just fine. Some items to check:
  1. Make sure you allow UDP traffic. The ports are 500/udp and 4500/udp.
  2. NAT-T should also be enabled on the VPN concentrator (though as I understand that is beyond your responsibility).
  3. Allowing traffic to port 500/udp is always required.
  4. You will only see traffic to port 4500/udp if NAT-T (IPsec NAT Traversal) is negotiated between initiator (VPN client) and responder (VPN server).
  5. Likewise you will only see IP protocol 50 (ESP) traffic if NAT-T is NOT negotiated (i.e. disabled on either client, server, or both).
  6. Protocol 51 (AH) is not needed for Cisco VPN Client to work. Not sure about Sophos.

Who is online

Users browsing this forum: Google [Bot], paulct, ryangibson5 and 134 guests