Community discussions

MikroTik App
 
andshort
just joined
Topic Author
Posts: 11
Joined: Mon Oct 31, 2022 12:19 pm

Does mikrotik support NAT traversal for IPSEC?

Mon Dec 05, 2022 5:18 pm

Hello all,

I've searched the forum but cannot find a configuration on mikrotik to enable NAT traversal. Basically, IPSEC does not really like or support NAT. Some cheap routers have an option called nat-traversal which allows IPSEC to function behind NAT (this is how it is configured at the moment with the ISP router). Is this configuration possible on Mikrotik? Please I need to know so I can tell the customer to purchase a mikrotik device in order to replace the ISP router. Below is what I want to achieve. Is this supported on MT?:

IPSEC SERVER (10.0.0.1) <---> (10.0.0.254) Mikrotik <----> PPPoE (public IP) <----> Internet <---->IPSEC CLIENT (dynamic/public)

Thanks in advance, all articled I've found talk about how to enable nat traversal on end devices which I have done and I know are working with the cheap isp router.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Does mikrotik support NAT traversal for IPSEC?

Mon Dec 05, 2022 5:34 pm

Yes, Mikrotik does support NAT traversal for IPsec. The setting for IKE(v1) is nat-traversal=yes on /ip ipsec profile row; in IKEv2, NAT traversal support is part of the standard.

If you have in mind that the Mikrotik would not act as an IPsec responder itself but would just forward IPsec traffic between the external client and the internal "IPsec server", this is also possible.
 
andshort
just joined
Topic Author
Posts: 11
Joined: Mon Oct 31, 2022 12:19 pm

Re: Does mikrotik support NAT traversal for IPSEC?

Mon Dec 05, 2022 6:15 pm

Yes, Mikrotik does support NAT traversal for IPsec. The setting for IKE(v1) is nat-traversal=yes on /ip ipsec profile row; in IKEv2, NAT traversal support is part of the standard.

If you have in mind that the Mikrotik would not act as an IPsec responder itself but would just forward IPsec traffic between the external client and the internal "IPsec server", this is also possible.
Thank you very much for your answer. I am not sure what you mean in the second part of your message. I believe what happens under the hood with the nat traversal is the enabling of "the ESP protocol with IP protocol number 50"
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Does mikrotik support NAT traversal for IPSEC?

Mon Dec 05, 2022 6:47 pm

No, when you use ESP with NAT traversal it will use UDP port 4500 instead of IP protocol 50.
 
andshort
just joined
Topic Author
Posts: 11
Joined: Mon Oct 31, 2022 12:19 pm

Re: Does mikrotik support NAT traversal for IPSEC?

Mon Dec 05, 2022 7:59 pm

No, when you use ESP with NAT traversal it will use UDP port 4500 instead of IP protocol 50.
So there are two ways to achieve ipsec server behind nat? One using ESP with NAT traversal (as mentioned also by @sindy) and also by using protocol 50? If yes, are both options supported by mikrotik?
Thanks again
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Does mikrotik support NAT traversal for IPSEC?

Mon Dec 05, 2022 8:48 pm

No, when you use ESP with NAT traversal it will use UDP port 4500 instead of IP protocol 50.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Does mikrotik support NAT traversal for IPSEC?

Mon Dec 05, 2022 8:55 pm

is there an echo in here or does someone have a 'short' attention span? ;-)
 
gabacho4
Member
Member
Posts: 330
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: Does mikrotik support NAT traversal for IPSEC?

Mon Dec 05, 2022 9:12 pm

Just as a data point, I’m currently running an ipsec (IKEv2) connection with one endpoint behind NAT with no problem. As mentioned UDP port 4500 is used. I’ve tested IPSec with both endpoints behind NAT in my lab environment and have had no issues. Unless you deliberately disable NAT-T it works.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Does mikrotik support NAT traversal for IPSEC?  [SOLVED]

Mon Dec 05, 2022 9:15 pm

So there are two ways to achieve ipsec server behind nat? One using ESP with NAT traversal (as mentioned also by @sindy) and also by using protocol 50? If yes, are both options supported by mikrotik?
ESP is IP protocol 50. As it has no notion of ports, there would be a problem if two initiators connecting to the same responder ("server") would get NATed to the same IP address, as the NAT device would not be able to find out to which of the two initiators to forward a packet from the responder. So the peers (the initiator and the responder) use the NAT-T extension to IKE(v1), or the same procedure embeddded in IKEv2, to find out that there is one or more NATs on the path between them, and if they detect that, they start encapsulating the ESP datagrams into UDP packets rather than directly into just IP packets, reusing the NAT pinholes already created for the IKE/IKEv2 control session.

The setting you can see on the "cheap router" is related to the scenario where that router itself acts as an IPsec peer - it permits the IPsec peer running on that router to use the NAT detection & traversal mechanism described above.

A router that is doing the NAT but is not an IPsec peer itself handles transit IPsec traffic just as any other one, without any special measures. Only if you wanted that in cases where there is no NAT between the remote peer and the local NATing router, the peers would use ESP (e.g. because the extra overhead of the UDP-encapsulated ESP would bother you), you could make a trick - port-forward incoming traffic to UDP ports 500 and 4500 as well as incoming ESP traffic to the private address of the IPsec responder at the private side of the NAT, but let the IPsec server undo the dst-nat and behave as if it had the public IP on itself, so the NAT-T mechanism would not notice that a NAT is there.
 
andshort
just joined
Topic Author
Posts: 11
Joined: Mon Oct 31, 2022 12:19 pm

Re: Does mikrotik support NAT traversal for IPSEC?

Tue Dec 06, 2022 9:00 am

So there are two ways to achieve ipsec server behind nat? One using ESP with NAT traversal (as mentioned also by @sindy) and also by using protocol 50? If yes, are both options supported by mikrotik?
ESP is IP protocol 50. As it has no notion of ports, there would be a problem if two initiators connecting to the same responder ("server") would get NATed to the same IP address, as the NAT device would not be able to find out to which of the two initiators to forward a packet from the responder. So the peers (the initiator and the responder) use the NAT-T extension to IKE(v1), or the same procedure embeddded in IKEv2, to find out that there is one or more NATs on the path between them, and if they detect that, they start encapsulating the ESP datagrams into UDP packets rather than directly into just IP packets, reusing the NAT pinholes already created for the IKE/IKEv2 control session.

The setting you can see on the "cheap router" is related to the scenario where that router itself acts as an IPsec peer - it permits the IPsec peer running on that router to use the NAT detection & traversal mechanism described above.

A router that is doing the NAT but is not an IPsec peer itself handles transit IPsec traffic just as any other one, without any special measures. Only if you wanted that in cases where there is no NAT between the remote peer and the local NATing router, the peers would use ESP (e.g. because the extra overhead of the UDP-encapsulated ESP would bother you), you could make a trick - port-forward incoming traffic to UDP ports 500 and 4500 as well as incoming ESP traffic to the private address of the IPsec responder at the private side of the NAT, but let the IPsec server undo the dst-nat and behave as if it had the public IP on itself, so the NAT-T mechanism would not notice that a NAT is there.
Thanks for your comprehensive reply. Unfortunately I was just informed that the ISP router cannot work in bridged mode and it is not supported to change the device. Instead I am looking into changing the whole ipsec setup and switching it into openvpn (my end devices do not supports wireguard). This also means I will need to reconfigure 55 end devices...

Thank you all for your comments.

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], ivicask, LabarH, sinisa and 92 guests