Answer the question
In order to leave comments, you need to log in
Fine tuning ipsec tunnel. How to get out with NAT?
Given
1. Mikrotik controlled by me with an external static address.
2. Two gray networks behind it 192.168.110.0/24 and 192.168.111.0/24.
3. A certain device is not controlled by me, I can neither change the settings nor look at it, behind it is a gray network 10.10.10.0/24. There is an external static address.
Now the ipsec tunnel is working and traffic from network 110 successfully reaches 10.10.10.0/24. But from 111 traffic flies into the tunnel and successfully drops there.
src-address=192.168.110.0/23 src-port=any dst-address=10.10.10.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address =0.0.0.0 sa-dst-address=8.8.8.8 proposal=eze-proposal ph2-count=1
Answer the question
In order to leave comments, you need to log in
And the casket just opened.
We add one more gray ip to the controlled router.
And we write 2 rules (the second one already existed, it is necessary that the traffic intended for the tunnel is not NAT'ed and falls under the policy)
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.10.10.0/24 src-address=192.168.111.0/24 to-addresses=192.168.110.2
add action=accept chain=srcnat dst-address=10.10.10.0/24 src-address=192.168.110.0/23 to-addresses=192.168.110.1
NAT and ipsec are incompatible. In the sense of ipsec behind NAT.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question