One quick question: now that I opened UDP4500, anyone knows my IP (and preshared key + sets the correct ID for identity) can create an IPsec tunnel to my MT (As long as server's identity is set for matching by remote id)?
Also, there is a new policy on the server (responder): <126.96.36.199:0->188.8.131.52:0>, it seems readonly, I guess this is good and valid and comes from the initiator.
Correct. It proves that the complete setup works, and you can now replace this test policy at initiator by some more useful one(s).
So now if I'd create some nat rules I could access responder's lan from initiator, right?
Yes, depending on the existing setup, some exceptions from src-nat/masquerade
may be necessary to make the added policy client.lan.subnet->server.lan.subnet see the packets. But you don't need this policy if you take the EoIP over IPsec way.
Thanks very much. How shall I go forward? Firewall rules or EoIP tunnel(s)?
I think the initial idea was to first check whether UDP (IPsec transport packets) is also throttled?
But it's up to you of course.
To transport the EoIP using the IPsec, I'd recommend to create, at the initiator, an /interface bridge
without any member ports, attach to it a private /32 IP address outside the LAN subnets of both the initiator and the responder, and create a policy with this address as src-address and the responder's WAN IP as dst-address. A mirror policy will be added at the responder. It should not be necessary to disable and re-enable the peers to that the additional policy would come up.
Once you can see the policy up, add an action=accept protocol=gre ipsec-policy=in,ipsec
rule to chain=input
of /ip firewall filter
machines, and it must be before the "drop invalid" one (there's currently a bug regarding GRE handling in firewall; EoIP uses GRE protocol). Once this is done, you can add the EoIP interfaces, with properly set local and remote addresses, at both ends (the tunnel-id must be the same at both ends). You can then attach IP addresses from the same subnet to their ends, and you should be able to use the IP address of the far end as a gateway for a route to the far end LAN subnet (symmetrically at both machines of course) so that you could test the TCP client/server connection this way, and check the speed.
The EoIP interfaces are interfaces like any other, so depending on how the firewall looks like, you may have to add permissive rules to chain=forward
of /ip firewall filter
at both ends to make the client-server connection possible.
If the speed is OK, that's it; but since it wasn't OK using PPTP, I assume UDP will be throttled too, so the next step would be to add a second IPsec tunnel using a different UDP port on at least one end.
Out of curiosity, can you reveal what countries are we talking about?