Page 1 of 1
IPsec over NAT
Posted: Mon May 22, 2006 3:49 pm
is it possible to configure IPsec tunel between MT1 and MT2 that are behind NAT, like here:
LAN1 <--> MT1 <--> NAT/firewall <---- WAN ----> NAT/firewall <--> MT2 <--> LAN2
If so, how is it possible?
Posted: Mon May 22, 2006 6:59 pm
It is possible, if you deny nat for that destination IPsec Peer, and allow nat for everything else.
Posted: Mon May 22, 2006 7:09 pm
No no, please, consider carefuly, IPsec mikrotik router is behind the NAT router. And I see problem with configuration of sa-src-address and sa-dst-address. I should set up addresses of the NAT router and not addresses of my IPsec router. But in this way th IPsec tunel does not work. I get messages in LOG:
01:47:56 ipsec,info ipsec no sa found: proto=esp spi=256 src=x.y.z.163 dst=a.b.c.2
01:47:57 ipsec,warning incoming packet with unknown SPI
Re: IPsec over NAT
Posted: Tue May 23, 2006 11:59 am
generally its not possible.
Posted: Tue May 23, 2006 12:41 pm
once you mentioned on the forum before about NAT-T. does this affect the IPsec too... we all know mikrotik doesn't support this feature (hope in future does...)
Posted: Tue May 23, 2006 12:48 pm
With Cisco I was able to configure nat and IPsec, so I have created an access list which deny ant for the IPsec peers, and allow nat for other destinations, but never tried with mikrotik, I don't think it should be a problem.