Hi,
I have a problem.
We have a lot of ipsec vpn and leased line and we are using vlan and other things but we don't have ipsec vpn with srcnat yet (only dnat)
Unfortunately we have a partner and it need 10.0.0.0/8 and therefore I have a static route for it.
But, now I need a new ipsec vpn and remote LAN address is 10.1.42.27 and I need to change our src address to 172.20.10.70 too.
So, vpn is ok, and I have a policy with 172.20.10.70->10.1.42.27 BUT I have seen our packet goes to leased-line and do not into ipsec tunnel.
My original address is 192.168.1.20.
I see in the log (I made a log rule in firewall):
with this policy :
ip ipsec policy
src-address=172.20.10.70/32 src-port=any dst-address=10.1.42.27/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=xx.xx.xx.xx
sa-dst-address=yy.yy.yy.yy proposal=sha1_aes256_none priority=0
19:42:43 firewall,info forward: in:vlan_rac_10 out:vlan_LL_omv_13, proto ICMP (type 8, code 0), 192.168.1.20->10.1.42.27, len 84
19:42:43 firewall,info forward: in:vlan_LL_inet_20 out:vlan_rac_10, proto ICMP (type 0, code 0), 10.1.42.27->192.168.1.20, len 84
19:42:44 firewall,info forward: in:vlan_rac_10 out:vlan_LL_omv_13, proto ICMP (type 8, code 0), 192.168.1.20->10.1.42.27, len 84
19:42:44 firewall,info forward: in:vlan_LL_inet_20 out:vlan_rac_10, proto ICMP (type 0, code 0), 10.1.42.27->192.168.1.20, len 84
when I ping to remote IP it will go to leased-line and I will get response from VPN (inet) :-O
(our partners have between direct line and may be they route this NET parner1<-->partner2)
(me -> (leased line) partner1 -> (leased line) partner2 -> (inet-vpn) me)
Then I change policy to original IP.
If I change policy in ipsec to 192.168.1.20->10.1.42.27 then I see:
21:57:36 firewall,info forward: in:vlan_rac_10 out:vlan_LL_inet_20, proto ICMP (type 8, code 0), 192.168.1.20->10.1.42.27, len 84
21:57:37 firewall,info forward: in:vlan_rac_10 out:vlan_LL_inet_20, proto ICMP (type 8, code 0), 192.168.1.20->10.1.42.27, len 84
I think this is good...
(I don't get response but this is not problem because if I see my packet goes onto the tunnel I can say to my partner my config is ok)
My config is:
ip ipsec policy
src-address=192.168.1.20/32 src-port=any dst-address=10.1.42.27/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=xx.xx.xx.xx
sa-dst-address=yy.yy.yy.yy proposal=sha1_aes256_none priority=0
route (because leased line to another partner)
1 A S 10.0.0.0/8 cc.cc.cc.cc 1
ip firewall nat
chain=srcnat action=src-nat to-addresses=172.20.10.70 src-address=192.168.1.0/24 dst-address=10.1.42.27
ip firewall filter
chain=forward action=accept connection-state=new protocol=tcp src-address=192.168.1.0/24 dst-address=10.1.42.27 dst-port=22
What I think was wrong?
How can I check that my packet went into the tunnel and my IP is changed correctly?
I tried loging but I cann't see because if I put a line into the firewall then there I can not see NATed IP yet because it will change later on "packet road" (postrouting).
I tried packet-sniffer too with wireshark but I can not see all
If I have an ipsec vpn then which IP need I put into the policy? original or SNAT-ed?
(I have seen this: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow)