Hi,

I have a problem.
We have a lot of ipsec vpn and leased line and we are using vlan and other things but we don't have ipsec vpn with srcnat yet (only dnat)

Unfortunately we have a partner and it need 10.0.0.0/8 and therefore I have a static route for it.
But, now I need a new ipsec vpn and remote LAN address is 10.1.42.27 and I need to change our src address to 172.20.10.70 too.
So, vpn is ok, and I have a policy with 172.20.10.70->10.1.42.27 BUT I have seen our packet goes to leased-line and do not into ipsec tunnel.
My original address is 192.168.1.20.

I see in the log (I made a log rule in firewall):
with this policy :
ip ipsec policy
src-address=172.20.10.70/32 src-port=any dst-address=10.1.42.27/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=xx.xx.xx.xx
sa-dst-address=yy.yy.yy.yy proposal=sha1_aes256_none priority=0

19:42:43 firewall,info forward: in:vlan_rac_10 out:vlan_LL_omv_13, proto ICMP (type 8, code 0), 192.168.1.20->10.1.42.27, len 84
19:42:43 firewall,info forward: in:vlan_LL_inet_20 out:vlan_rac_10, proto ICMP (type 0, code 0), 10.1.42.27->192.168.1.20, len 84
19:42:44 firewall,info forward: in:vlan_rac_10 out:vlan_LL_omv_13, proto ICMP (type 8, code 0), 192.168.1.20->10.1.42.27, len 84
19:42:44 firewall,info forward: in:vlan_LL_inet_20 out:vlan_rac_10, proto ICMP (type 0, code 0), 10.1.42.27->192.168.1.20, len 84

when I ping to remote IP it will go to leased-line and I will get response from VPN (inet) :-O
(our partners have between direct line and may be they route this NET parner1<-->partner2)
(me -> (leased line) partner1 -> (leased line) partner2 -> (inet-vpn) me)

Then I change policy to original IP.
If I change policy in ipsec to 192.168.1.20->10.1.42.27 then I see:

21:57:36 firewall,info forward: in:vlan_rac_10 out:vlan_LL_inet_20, proto ICMP (type 8, code 0), 192.168.1.20->10.1.42.27, len 84
21:57:37 firewall,info forward: in:vlan_rac_10 out:vlan_LL_inet_20, proto ICMP (type 8, code 0), 192.168.1.20->10.1.42.27, len 84

I think this is good...

(I don't get response but this is not problem because if I see my packet goes onto the tunnel I can say to my partner my config is ok)

My config is:

ip ipsec policy
src-address=192.168.1.20/32 src-port=any dst-address=10.1.42.27/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=xx.xx.xx.xx
sa-dst-address=yy.yy.yy.yy proposal=sha1_aes256_none priority=0

route (because leased line to another partner)
1 A S 10.0.0.0/8 cc.cc.cc.cc 1

ip firewall nat
chain=srcnat action=src-nat to-addresses=172.20.10.70 src-address=192.168.1.0/24 dst-address=10.1.42.27

ip firewall filter
chain=forward action=accept connection-state=new protocol=tcp src-address=192.168.1.0/24 dst-address=10.1.42.27 dst-port=22


What I think was wrong?
How can I check that my packet went into the tunnel and my IP is changed correctly?
I tried loging but I cann't see because if I put a line into the firewall then there I can not see NATed IP yet because it will change later on "packet road" (postrouting).
I tried packet-sniffer too with wireshark but I can not see all
If I have an ipsec vpn then which IP need I put into the policy? original or SNAT-ed?
(I have seen this: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow)

I don't know what would be the problem.
I made packet-sniffer and other ...now I think packet go to good interface but only one IP.
About the second IP I don't see where does it want to go. I see when it come from server but I don't see when it goes to out.

So, I have two policy route rule for this ipsec.
Question, can I have two policy rule for one ipsec peer?

If don't then how can I solve this? I need to route to remote side two exact IP (not a net) eg. 10.1.42.27 and 10.1.48.193 therefore I made it.
If I have two policy route then I will have two SA BUT remote side may be have one.

The problem is not on my side. The partner has wrong config.
I have bulit a test system and I simulated each side and my config is good.