Community discussions

MikroTik App
 
nordscan
just joined
Topic Author
Posts: 4
Joined: Thu May 14, 2020 2:13 pm

Portforward 4500,500 to Cisco VPN server inside LAN

Wed Sep 28, 2022 4:33 pm

Hello
need to connect from custommer Win10 pc through miktorik to Cisco VPN..

Win10 PC 85.x.x.x >>> Mikrotik Wan 188.x.x.x - LAN 192.168.1.1 >>> Cisco VPN 192.168.1.100

On mikrotik is already configured working pptp/l2tp+ipsec, also i specify src-address only for this user
On win10 already set the AssumeUDPEncapsulationContextOnSendRule to 2 in registry

i forward port 500,4500 and esp, but then i try connect the cisco vpn client, i see only 1packet received on port 500, and then the connection is terminated,
any ideas??
12 X  ;;; test
      chain=dstnat action=dst-nat to-addresses=192.168.1.90 protocol=ipsec-esp src-address=85.x.x.x dst-address=188.x.x.x log=yes log-prefix="test - " 

15 X  ;;; test
      chain=dstnat action=dst-nat to-addresses=192.168.1.90 to-ports=500 protocol=udp src-address=85.x.x.x dst-address=188.x.x.x dst-port=500 log=yes log-prefix="test - " 

17 X  ;;; test
      chain=dstnat action=dst-nat to-addresses=192.168.1.90 to-ports=4500 protocol=udp src-address=85.x.x.x dst-address=188.x.x.x dst-port=4500 log=yes log-prefix="test- " 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Portforward 4500,500 to Cisco VPN server inside LAN

Wed Sep 28, 2022 9:20 pm

Me thinks you have port forwarding misconfigured.

read this link to get you over the learning curve.... - viewtopic.php?t=179343
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Portforward 4500,500 to Cisco VPN server inside LAN

Wed Sep 28, 2022 9:29 pm

Unlike to @anav, your port forwarding rules seem fine to me, but maybe there is a typo in the src-address and/or dst-address value? Does the packet counter of the dst-nat rule handling port 500 show a non-0 value? If yes, how do your /ip firewall filter rules look like?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Portforward 4500,500 to Cisco VPN server inside LAN

Wed Sep 28, 2022 9:57 pm

Aside from 100 and 90 being different numbers... but I guess it's just some "presentation error", you'd surely notice that.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Portforward 4500,500 to Cisco VPN server inside LAN

Wed Sep 28, 2022 10:16 pm

On IPsec VPN, it might be necessary to study the NAT-T (NAT traversal) used in end-points and routers.
Things are version and software dependend. In the 1998 till 2009 period I have seen a lot of evolution in the NAT for IPsec. Mostly creating trouble when things changed.

E.g. in the beginning IPsec that required NAT did not work. Then came NAT-T(1), the first version of NAT-travesal for IPsec, encapsulating IPsec in UDP for port 500.
If our technicians where at hotels with simple (IPsec unaware) old routers/gateways, they could get IPsec for some time. (Probably until some other guest started an IPsec connection)
Then came NAT-traversal, with intelligence in the router for IPsec NAT, for supporting multile sessions.
NAT-T in the client and NAT-T enabled in the remote router at the same time did not work for the mobile user.
Then came NAT-T draft 2, the second wave of IPsec NAT support. To avoid the NAT-T conflicting processing of the router, NAT-T2 used port 4500.
However not all IPSec/NAT-T implementations in clients or servers supported NAT-T2 on port 4500.

So in hotels with old routers, that had no support for IPsec, the NAT-T of the client worked (for 1 devce) on port 500. If the router supported NAT traversal the conection failed, unless UDP port 4500 was used.

By that time with 160 worldwide travelling technicians, they all got converted to SSL/VPN. So I lost track of the further evolution of NATted IPsec connectivity. As it was since only used for static site to site connections.
Last edited by bpwl on Wed Sep 28, 2022 11:02 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Portforward 4500,500 to Cisco VPN server inside LAN

Wed Sep 28, 2022 10:42 pm

Sindy is correct I missed that you had destination-address (for a fixed static WANIP).
However, its not clear that you have the requisite firewall rule to allow dst-nat.

Who is online

Users browsing this forum: No registered users and 91 guests