Community discussions

MUM Europe 2020
 
rastod
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Jun 04, 2005 11:35 pm
Location: Slovakia

IPsec over NAT

Mon May 22, 2006 3:49 pm

is it possible to configure IPsec tunel between MT1 and MT2 that are behind NAT, like here:

LAN1 <--> MT1 <--> NAT/firewall <---- WAN ----> NAT/firewall <--> MT2 <--> LAN2

If so, how is it possible?
 
User avatar
fatonk
Member
Member
Posts: 439
Joined: Tue Feb 22, 2005 11:06 am
Location: Mitrovica/Kosova

Mon May 22, 2006 6:59 pm

It is possible, if you deny nat for that destination IPsec Peer, and allow nat for everything else.

Regards.

Faton
 
rastod
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Jun 04, 2005 11:35 pm
Location: Slovakia

Mon May 22, 2006 7:09 pm

No no, please, consider carefuly, IPsec mikrotik router is behind the NAT router. And I see problem with configuration of sa-src-address and sa-dst-address. I should set up addresses of the NAT router and not addresses of my IPsec router. But in this way th IPsec tunel does not work. I get messages in LOG:
01:47:56 ipsec,info ipsec no sa found: proto=esp spi=256 src=x.y.z.163 dst=a.b.c.2
01:47:57 ipsec,warning incoming packet with unknown SPI
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Re: IPsec over NAT

Tue May 23, 2006 11:59 am

generally its not possible.
 
User avatar
maroon
Member Candidate
Member Candidate
Posts: 233
Joined: Thu Oct 07, 2004 11:15 am
Location: Lebanon
Contact:

Tue May 23, 2006 12:41 pm

MAG !!
once you mentioned on the forum before about NAT-T. does this affect the IPsec too... we all know mikrotik doesn't support this feature (hope in future does...)
Regards,
 
User avatar
fatonk
Member
Member
Posts: 439
Joined: Tue Feb 22, 2005 11:06 am
Location: Mitrovica/Kosova

Tue May 23, 2006 12:48 pm

With Cisco I was able to configure nat and IPsec, so I have created an access list which deny ant for the IPsec peers, and allow nat for other destinations, but never tried with mikrotik, I don't think it should be a problem.

regards.

Faton

Who is online

Users browsing this forum: Google [Bot] and 85 guests