Page 1 of 1

IPsec over NAT

Posted: Mon May 22, 2006 3:49 pm
by rastod
is it possible to configure IPsec tunel between MT1 and MT2 that are behind NAT, like here:

LAN1 <--> MT1 <--> NAT/firewall <---- WAN ----> NAT/firewall <--> MT2 <--> LAN2

If so, how is it possible?

Posted: Mon May 22, 2006 6:59 pm
by fatonk
It is possible, if you deny nat for that destination IPsec Peer, and allow nat for everything else.



Posted: Mon May 22, 2006 7:09 pm
by rastod
No no, please, consider carefuly, IPsec mikrotik router is behind the NAT router. And I see problem with configuration of sa-src-address and sa-dst-address. I should set up addresses of the NAT router and not addresses of my IPsec router. But in this way th IPsec tunel does not work. I get messages in LOG:
01:47:56 ipsec,info ipsec no sa found: proto=esp spi=256 src=x.y.z.163 dst=a.b.c.2
01:47:57 ipsec,warning incoming packet with unknown SPI

Re: IPsec over NAT

Posted: Tue May 23, 2006 11:59 am
by mag
generally its not possible.

Posted: Tue May 23, 2006 12:41 pm
by maroon
MAG !!
once you mentioned on the forum before about NAT-T. does this affect the IPsec too... we all know mikrotik doesn't support this feature (hope in future does...)

Posted: Tue May 23, 2006 12:48 pm
by fatonk
With Cisco I was able to configure nat and IPsec, so I have created an access list which deny ant for the IPsec peers, and allow nat for other destinations, but never tried with mikrotik, I don't think it should be a problem.