Is It Possible to connect vyos with Mikrotik which behind NAT?

pedjoeangdigital · December 9, 2021, 4:08pm

Hi all,
Sorry if the question is too noob. I am on trying to setup site-to-site using GRE IPsec between vyos and mikrotik ( Mikrotik behind NAT ).

I have try to setup it, but in Mikrotik always got no phase2.
if the Mikrotik not behind NAT i have successfully connected, but no luck with the behind NAT one.

I am using Vyos 1.2.6
sample using config :

......
esp-group <esp_group_name> {
            compression disable
            lifetime 3600
            mode tunnel
            pfs dh-group16
            proposal 1 {
                encryption aes256
                hash sha256
            }
        }
        ike-group <ike_group_name> {
            close-action none
            dead-peer-detection {
                action clear
                interval 30
                timeout 90
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 86400
            proposal 1 {
                dh-group 16
                encryption aes256
                hash sha256
            }
        }
......
peer mikrotik_public_ip {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret notsosecret
                }
                connection-type initiate
                default-esp-group <esp_group_name>
                ike-group <ike_group_name>
                ikev2-reauth inherit
                local-address vyos_public_ip
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    protocol gre
                }
            }

Thank you

Dmitry · December 9, 2021, 4:16pm

Hi @pedjoeangdigital , it should be a good idea to use key-exchange ikev2 instead of ikev1 if some of the hosts are behind a NAT. I’m not very familiar with Mikrotik, but I think you can use authentication id and authentication remote id to satisfy negotiation

pedjoeangdigital · December 9, 2021, 4:50pm

Hi @Dmitry thank you for your reply, so is it that you mean ?

ike-group <ike_group_name> {
            close-action none
            dead-peer-detection {
                action clear
                interval 30
                timeout 90
            }
            ikev2-reauth no
            **key-exchange ikev1 to ikev2 ?**
            lifetime 86400
            proposal 1 {
                dh-group 16
                encryption aes256
                hash sha256
            }
        }

Dmitry · December 9, 2021, 5:59pm

Yes, and also

peer mikrotik_public_ip {
                authentication {
                                id x.x.x.x
                                remote id y.y.y.y

kav · May 5, 2022, 11:18pm

Hey, did you ever get this working?

system · October 26, 2023, 10:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.