Site-to-site IPSec through NAT

In the fifth part of the IPSec series, we will cover the next common scenario in IPSec implementation. We will also be IPSec myth busters. Of course, there will be no spectacular explosions as in the TV show. Nevertheless, we will break the myth that IPSec tunnel cannot pass through the NAT.

Our scenario is very common in the world. We have a larger company, with one or more high-speed Internet links and public IP addresses assigned to them. On the other hand, we have a small company that wants to works almost without spending money. In addition, they want to reduce the operation costs in the wrong places.


Our scenario

Our scenario is like this:


I highlighted the most important part related to this scenario. Small company, named Trange Frange Comp (jargon in Serbian for something that is of low quality), leased grandma’s ADSL link speed of 4/1 Mbps for their main business Internet link. As Internet links cost some money, there are no redundant links.

They received ADSL CPE router from ISP. I used MikroTik RouterOS x86-v3.30 software router to simulate that piece of equipment. Although MikroTik RouterOS is very powerful and flexible software, we have used it here in the routing mode. It is possible to use it even as the network bridge and to simulate the ADSL modem device.

This means that our internal network for the Trange Frange Company (named as TFC in further text) will be NATing (hidden behind the NAT device). ADSL router connects to the PPPoE access server inside the ISP’s network. I will not discuss this mechanism in this post. However, we just reviled the subject for future articles.

PPPoE service uses dynamic allocation of addresses and some parts of the PPP protocol. This part of about dynamic address assignment is the most important here. We don’t know the public or at least an outer IP address assign to ADSL CPE router.

You can see that we’re just faced with two challenges. Our main router has the public IP and is connected with high-speed links. Our remote router is behind the NAT device with dynamic IP address. Woohoo!

If you remember the theory of the IPSec tunnels and the baseline scenario for the site-to-site tunnel, then you know that we need to know the addresses for both sides. Moreover, we don’t have the fixed IP address on the side of the smaller company. Fun is in the air!

Of course, we are establishing IPSec tunnel for the end users in the TFC’s local network. They will access the Contoso Web server. Yup, grandpa DOS VM with EZ-NOS WWW server – only 4 MB of RAM and 10 MB of virtual hard disk. This is simulation of a CRM or collaboration server, which will never be publish to the Internet.


Checking the connection

We should have the basic connection between the remote network and the Contoso router. We will check this by using the command ping and/or traceroute. We should do this from both the router and workstation. At this stage, the Web server is not accessible.

As the first step, we will check whether the ADSL customer is connected to the PPPoE server. This process is automatic and the client will connect as soon as the RouterOS boot.


Our remote company has “Internet” access. Now we will test connectin from the workstation. This workstation is simulated with the Tiny Core Linux v.6.4.1 VM – 128 MB of RAM, 128 MB of vHDD and modern graphical environment with an e-mail client and Web browser.


The workstation has the correct private IP address. When we execute the traceroute command, we can see that there are five hops. With limit for the virtual ADSL link speed on only 4/1 Mbps, the masquerade on the both outgoing and ADSL router, we have real life results of the delays.

We must fill the IPSec configuration document in the beginning of the process. This document is in this scenario even more important. I will reveal the part of the secret here. We need to put the IP address on the outgoing interface for the IP address of the TFC router; in our example –


Preparing Contoso router

We will prepare the Contoso router as usual. Oh, but… Here is one big but. We don’t have the IP address of the partner router. We knew that the FabrikaM router is with the address and we easily prepared the peer settings.

The question is which address will be assigned to the ADSL CPE router? The answer is simple. The first free IP address from the pool assigned to the PPPoE service. In addition, it can change any time.

Oh, there can be even more fun. As you can see from the screenshot taken on the PPPoE access server, the ADSL router have the IP address This address is public indeed, as the private IPs are from the However, this IP can be private. Then we can have at least one more NAT device between our router and the Contoso router. Fun, fun, fun!

This bit longer introduction is here with a very good reason. We need to prepare the Contoso router’s Peer definition related to the TFC router. As we do not know its address, we will define the special generic peer definition. We will use the IP address of, which means any remote IP address.


There are three main differences between this scenario and the previous with public IPs. The first difference is that we do not know the IP address of the opposite side and therefore we can’t initiate IPSec communication.

The second difference is that this IPSec tunnel will pass through at least one NAT device. Therefore, we must enable the option NAT traversal. This option will switch the IPSec tunnel communication from the usual port 500U to 4500U.

Now, if the firewall blocking the UDP port 4500 (that means 4500U mentioned in previous paragraph) we can’t establish the IPSec connection. Therefore, check the firewall if you have problem with IPSec tunnel.

The third difference is that we need to build the IPSec policy on dynamic basis. This is related to the fact that we don’t know the SA source IP address of the remote peer and we can’t build the policy. This is the field SA Destination address.

I used the password Trange1. If more than one remote customer wants to connect to the router, they will all share this policy and its secret key.

All other settings are very common. We can choose more than one encryption protocol to enable connections from different devices. This is the second thing you should always to check. If the remote device is made for grandma’s home ADSL usage, then its capabilities can be very limited.

We should also extend supported authentication and encryption algorithms in the Default proposal. When we building dynamic IPSec tunnel, automatically generated policy will always use the default proposal settings.


We added the MD5 authentication and 3DES encryption protocols. In most cases, this will be enough.

This was very quick indeed. The Contoso router is ready to rock and to accept IPSec clients. We should prepare the other side.


TFC side

On the TFC side, we need to prepare everything in the same way as we done before, like the router with the public IP address. We will begin with the IPSec peer definition. It’s very simple.

We know that the Contoso router is on the public IP address and we will use it. However, we need to enable the NAT traversal option. We know that there is at least one NAT device between this router and its peer.


All other parameters are already negotiated between the sides. In the scenario like this one, we must forcing remote side to comply with the main router. In real life scenario, we can have multiple remote devices and any alternation of the Peer definition can drop tunnels to all another routers.

The same applies to the Proposal part. We must harmonize it with the main router.

Now we coming to the most intriguing part here. We need to define the IPSec policy. The first tab is very common; our network and remote network.


The IPSec tunnel will be established between internal networks. However, the tricky part is coming.


Everything looks same as in the previous examples except the one field. The SA Source Address is the IP address on the outgoing interface of the router. This is not the public address on the ADSL router or ISP’s public IP. Keep this in mind. If something is wrong, check these settings.

All other parameters are the same and we will not spending more time on them.

The latest setting will be avoiding the NAT rules. We must define the rule that will allow this traffic to be excluded from the NAT process. We can do this on the tab IP > Firewall > NAT.


As you can see, we must position such rule on the top of the list of the NAT rules. The latest rule must be the masquerade NAT rule. Otherwise, we can’t access the resources outside our network.


Checking the tunnel

We can check that our router is connected with the remote peer in the Remote Peers tab.


Then we can try to connect from the client’s workstation to the server.


We can see in the router, on the Installed SAs tab, that the tunnel exchanging traffic.


The tunnel works. It’s time for the beer.


Command line scripts

For those who like to work from the command line, I prepared the scripts that can be used in your lab. You can download them here


I didn’t included the configuration of the MegaISP Access (PPPoE) server or the CPE router. You can build them very easy. Actually, it’s enough to put one VM before our router and to perform the NAT/masquerade on it.

If you would like to read more about other topics, like the PPPoE services, please, leave the comment. If you like my blog, I inviting you to start following it. You can also rate this post. Your feedback is welcome.

Stay tune for the upcoming articles and mighty tricks.


11 thoughts on “Site-to-site IPSec through NAT

  1. Fine! Thanks! Very usefull!
    But let me ask… If there any way to insert reverse route?
    If I need not one-side access, but both sides site-to-site access


    • Just looking for propper way to get both sides availability site-to-site ipsec tunnel with one site behind NAT with dynamic public IP (thru GSM network) I get strange temporary solution.

      /ip ipsec policy
      add dst-address= sa-dst-address={Public-remote-IP} sa-src-address={Local-WAN-Interface-IP} \
      src-address= tunnel=yes

      /interface eoip
      add local-address= name=tunnel1 remote-address=\ tunnel-id=0

      IP on this tunnel and RIP routing… Only EoIP tunnel workigh (not ipip or gre). And static routing didn’t wont work too…


      • Interesting thing… After this solution my VPN on my Windows client no more route get. Just only And no way to fix or manage this…


      • You Windows client should acquire the network configuration from the DCHP server. Your Mikrotik device should be the router and you should have through the Mikrotik’s LAN interface IP address.

        Now, your Windows machine should be capable to access the Internet. If you want to access the site B, you will do that through the IPsec.

        If your architecture is different, you can give me more details and I can try to find the solution for you.


      • But you don’t need EoIP, IP-IP or similar tunnels. IPsec can do the job.

        However, if you want to make a point to point IPsec tunnel then you need to set it in transport mode – tunnel=no. I had materials for that part of this series, but didn’t publish it yet.

        Additionally, you need to use the parameter src-address with /24 (or other appropriate network mask) and then IPsec will do the dynamic routing.


    • Thanks!

      IPsec doesn’t user routes at all. All routing is done through policies.

      If both sides are dynamic, then you need to do some tricks with a Dynamic DNS service, to try to register at least one side to be resolved using a DNS query.


    • Hi,

      Generally speaking, I will do this:
      1. I’ll re-check my setup again
      2. If the setup is correct, I will check my WAN IP addresses.
      You need to have at least one side of the tunnel with the public IP address.
      If you’re trying to make IPSec between two NATed addresses, it will not work.
      3. If everything is fine, then I’ll check ISP’s rules and obligations.
      Maybe you need to ask for the static IP address (can be charged separatelly).
      4. You should also check the local law regulations related to VPNs.

      Hope this will help.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.