Hilton, tnx a lot for your support and sharing knowledge!!
If you install a Mikrotik router at the big guy's house, then you can create a LAN to LAN VPN which is permanently on, although this is most often set-up without the IPSec part, just using MPPE 128 stateless encoding of the L2TP connection.
"big guy's house" - you are right! Hm, LAN to LAN vpn is interesting but maybe to much for him and management of such setup, because he is not IT expert so maybe in such case some IT expert will need to go to his home to often and also I think that he do not want to have lots of IT infrastructure in his home running 24/7.
Assuming it's an ADSL router, you could test this my changing it to bridge (modem) mode and then create a PPPOE connection directly from the WinXP computer. Then test the L2TP VPN connection to your Mikrotik router. This test effectively bypasses the router and you then have the ability to turn off the XP firewall for testing purposes.
Yes in his home he has ADSL connection with dynamic IP. IP is changing on every new PPPoE connection and maximally last for 24 hours without changing IP address - it is reseted every 24 hours from his ISP.
I have tested l2tp/ipsec connection from his win xp sp2 machine when this machine has public ip address (using hsdpa-umts mobile internet modem) and in such scenario the machine 100% successfully establish l2tp/ipsec vpn connection with MT server in the office every time, and this is great. Only problem is when this machine is behind his home adsl router with NAT and this is standard situation which I need to solve. So, this adsl router is probably the problem?!
Remember, IPSec cannot pass through NAT without some help so you are relying on the ability of the router to do this properly. I believe two Mikrotiks will do this but I haven't implemented this configuration yet.
Yes, you are right! That is my problem.
Are there any suggestions how to test this lousy router for its IPSec capabilities?
: MikroTik NAT-Traversal IPSec capabilities are targeted to scenario when client is behind NAT, and not when MT is behind NAT? Am I right?