Hello Sindy,
Sorry for the late reply, i was abroad.
So i managed to to make ikev2/ipsec tunnel mode based on the config you provided me. Ether1 got assigned IP and through mode config Dynamic src nat was created similar to surfshark. Although I didnt see any speed improvement compared to GRE so it made me worry (I can browse normally same as with GRE setup)
I checked the active peers and i see that they are using NAT-T (UDP 4500) although i have bridged the modem and have deselected NAT-T in the profiles which are assigned to Peers. Same thing i had tested before with GRE and it was still using the UDP 4500 port.
As i am testing right now the setup is like this
ISP Modem bridged -> Ether 1 - Mikrotik 1 (Public IP X), ether 2 - Mikrotik 2 (Public IP Y) so basically i have VPN going through the same modem.
** Server **
1 R ;;; IKEv2/IPSEC
id="*****" local-address=******* port=4500 remote-address=******* port=4500 state=established side=responder dynamic-address=10.222.222.8 uptime=3m16s last-seen=1m10s
ph2-total=1 spii="e027bac6b4abdf79" spir="beefe222eadc16cb"
** Client **
5 ;;; IKEv2/IPSEC
id="*******" local-address=****** port=4500 remote-address=******* port=4500 state=established side=initiator uptime=6m39s last-seen=34s ph2-total=1 spii="e027bac6b4abdf79"
spir="beefe222eadc16cb"
even for surfshark which is configured on client its using NAT-T 4500 port but there i have fast speeds ~110mbps
1 ;;; IKEv2/IPSEC Surfshark VPN US
id="us-nyc.prod.surfshark.com" local-address=******** port=4500 remote-address=84.17.35.91 port=4500 state=established side=initiator uptime=4d22m58s last-seen=26s ph2-total=1
spii="f6d385d54e7951af" spir="04b07504fa596795"
do you think this might be a hardware limitation?
Mikrotik 1 - RBD53iG-5HacD2HnD
Mikrotik 2 - RBD52G-5HacD2HnD
Mikrotik 1 cfg for IPSEC (client)
/ip ipsec peer
add address="DDNS" comment="IKEv2/IPSEC" exchange-mode=ike2 name=peer1 profile=No_NAT-T
/ip ipsec identity
add comment="IKEv2/IPSEC" generate-policy=port-strict mode-config=ikev2-s2s peer=peer1 policy-template-group=ike2-s2s secret="*****"
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=No_NAT-T nat-traversal=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d name=ike2-s2s pfs-group=modp2048
/ip ipsec mode-config
add name=ikev2-s2s responder=no src-address-list=LAN
/ip ipsec policy group
add name=ike2-s2s
/ip ipsec policy
add group=ike2-s2s proposal=ike2-s2s template=yes
Mikrotik 2 cfg for IPSEC (server)
/ip ipsec mode-config
add address=10.222.222.8 address-prefix-length=32 name=mc-user1 system-dns=no
/ip ipsec policy group
add name=ike2-s2s
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2-s2s nat-traversal=no
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-s2s passive=yes profile=ike2-s2s send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d name=ike2-s2s pfs-group=modp2048
/ip ipsec identity
add comment="IKEv2/IPSEC" generate-policy=port-strict mode-config=mc-user1 peer=IKEv2-s2s policy-template-group=ike2-s2s
/ip ipsec policy
add group=ike2-s2s proposal=ike2-s2s template=yes