Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
P
P
poisons2018-09-17 13:37:30
Computer networks
poisons, 2018-09-17 13:37:30

Fine tuning ipsec tunnel. How to get out with NAT?

Given
1. Mikrotik controlled by me with an external static address.
2. Two gray networks behind it 192.168.110.0/24 and 192.168.111.0/24.
3. A certain device is not controlled by me, I can neither change the settings nor look at it, behind it is a gray network 10.10.10.0/24. There is an external static address.
Now the ipsec tunnel is working and traffic from network 110 successfully reaches 10.10.10.0/24. But from 111 traffic flies into the tunnel and successfully drops there.

src-address=192.168.110.0/23 src-port=any dst-address=10.10.10.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address =0.0.0.0 sa-dst-address=8.8.8.8 proposal=eze-proposal ph2-count=1

I made the assumption that the policy is not written on the other side, following which traffic from up to 111 should fly into the tunnel.
And I got the idea to try to NAT'it traffic from network 111 to a random address 110, which I want to pin to Mikrotik.
It is not possible to solve this issue head-on, Google for the keywords ipsec nat c in combination with any others offers me solutions to overcome NAT issues and everything in this vein.
Prompt the right keywords or kick in the right direction.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
P
poisons, 2018-09-18
@poisons

And the casket just opened.
We add one more gray ip to the controlled router.
And we write 2 rules (the second one already existed, it is necessary that the traffic intended for the tunnel is not NAT'ed and falls under the policy)

/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.10.10.0/24 src-address=192.168.111.0/24 to-addresses=192.168.110.2
add action=accept chain=srcnat dst-address=10.10.10.0/24 src-address=192.168.110.0/23 to-addresses=192.168.110.1

In short, something like this.

Report
S
Stanislav Bodrov, 2018-09-17
@jenki

NAT and ipsec are incompatible. In the sense of ipsec behind NAT.

Similar questions
N
nickostyle2017-07-21 12:28:23
How to render video without increasing speed? 3Reply
S
soundie2020-11-29 17:27:43
How to block complex domain names? 0Reply
A
Alexander-K2014-10-08 20:46:48
How to quickly enable/disable proxy in browsers, skype, etc.? 2Reply
D
DenZel2016-10-09 20:45:32
How to configure a permanent ip address behind a pptp client? 1Reply
M
Mikhail Sinyakov2014-10-10 15:28:05
Why is the device not displayed when the site is remote debug? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question