Community discussions

MikroTik App
 
daliborg
just joined
Topic Author
Posts: 2
Joined: Wed Jul 25, 2018 8:50 pm

Is it possible to terminate IPsec tunnel on a router behind the Mikrotik router?

Sun May 21, 2023 9:58 pm

Hello everyone,

I have a main Mikrotik router with a static public IP address. Behind the Mikrotik router, I have a few local networks and a p2p ethernet link to the Cisco router.
On the main Mikrotik router, I have 2 IPsec tunnels terminated towards the branch sites.

Now I need to create an IPsec tunnel that will be terminated on the Cisco router which is behind the Mikrotik router and on the other side is the customer's Cisco router.
My concern is if this is possible to have the IPsec tunnel terminated on the Mikrotik, and another tunnel that is passing through the Mikrotik router and is terminated on some device behind the Mikrotik? Anybody had a similar setup?
diagram.PNG
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is it possible to terminate IPsec tunnel on a router behind the Mikrotik router?

Mon May 22, 2023 8:51 am

In your particular scenario where Cisco R2 has a public address, it is possible from the Mikrotik R1 perspective, because you can tell it to handle IPsec traffic to/from the public address of Cisco R2 in a specific way. Since there is NAT on the path between Cisco R1 and Cisco R2, not only the setup will be a tad more complicated on them, but also the overhead of the transport packets will be 8 bytes larger because to allow traversing the NAT, the ESP has to be encapsulated into UDP. If you wanted to get rid of this reduction of efficiency, you would have to assign the public IP address of Mikrotik R1 also to Cisco R1 in addition to its private address on WAN, and use NAT on both the Mikrotik and the Cisco to fool the NAT detection between the two Ciscos, which I know how to do on Mikrotik but I've never tried on Cisco.
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 512
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Is it possible to terminate IPsec tunnel on a router behind the Mikrotik router?

Tue May 23, 2023 2:28 am

Am I missing something obvious, but why cannot Cisco R1 initiate an IPsec connection to Cisco R2, so Mikrotik R1 will see it as a regular IP traffic?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Is it possible to terminate IPsec tunnel on a router behind the Mikrotik router?

Wed May 24, 2023 11:16 pm

why cannot Cisco R1 initiate an IPsec connection to Cisco R2, so Mikrotik R1 will see it as a regular IP traffic?
Of course it can, I've just got too distracted by the ESP in UDP thing and forgot to explicitly mention that.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Is it possible to terminate IPsec tunnel on a router behind the Mikrotik router?

Thu May 25, 2023 12:22 am

why cannot Cisco R1 initiate an IPsec connection to Cisco R2, so Mikrotik R1 will see it as a regular IP traffic?
Of course it can, I've just got too distracted by the ESP in UDP thing and forgot to explicitly mention that.
Thats kinda of like forgetting that there is a female condom when at the pharmacy distracted by the ribbed and coloured male condoms. ;-)

Who is online

Users browsing this forum: No registered users and 56 guests