Posts: 274
Registered: ‎11-07-2016
Kudos: 24
Solutions: 2

AirOS 6.1.11 and router/NAT with IPsec



I have a strange IPsec issue with a Nanostation M5 that I use to connect a mikrotik router to a normal wifi network (not airMAX) and then run a IPsec tunnel from the mikrotik router.

I use router mode on the Nanostation since I could not get an DHCP IP on the mikrotik if I use bridge mode.


Now the problem, when the wifi network fluctuates (getting "deauthenticated because sending STA is leaving or has left" sometimes for some reason but it quickly associates again) the IPsec tunnel also stopps working. The mikrotik router tries to establish the tunnel over and over again but it acts just like it did not have network connection any longer. But I can ping other hosts and I can surf from my computer when connected to the Nanostation, it just looks like the Nanostation is blocking IPsec Man Sad

If I reboot the Nanostation, IPsec works again. It can start working by itself also. My thought is that maybe airOS has a IPsec NAT helpter that maybe locks up for some reason?

I do use NAT-T with the IPsec tunnel so my understanding is that a NAT helper should not be used then and I read somewhere that IPsec NAT helpers can even cause trouble when combined with NAT-T, don't know if that is true but I guess it is not good to "double solve" a problem. I see no option to enable or disable NAT helper for IPsec (only PPTP) so either airOS doesn't have one or it is forced on? And if that is not the problem, any suggestions what may be the problem then?


mkrotik ipsec AP05.PNG


It would be simple to say that this is just a internet connection issue but everything else does seem to work Man Sad


(I have not really invesigated thoroughly why bridge mode does not work, not sure how the ubnt units act when using bridge without WDS but I know other wifi to ethernet client bridges I used before cloned the ethernet device's MAC and acted transparently and that mean you could only have one client behind such a device)