IPSEC and NAT

abeggled · June 25, 2012, 6:31pm

Hi together,

I’ve a problem with IPSEC and NAT.
My topology:

|RB450G|
     ||
     || IPsec Tunnel
     ||
     ||
|RB1100AH|

RB1100AH = subnet 192.168.102.0/24
RB450G = subnet 192.168.44.0/24

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment=SourceNat disabled=no out-interface=internet
add action=dst-nat chain=dstnat disabled=no dst-port=443 in-interface=internet protocol=tcp to-addresses=192.168.102.131 to-ports=443
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=internet protocol=tcp to-addresses=192.168.102.131 to-ports=80

Problem:
All traffic hitting the RB1100AH from Remote-Site on Port 443 or 80 will be redirected to 192.168.102.131, which is simply logical in this scenario, but if this traffic does not have the dst-address of RB1100AH external address it should be routed to different hosts on the network.

Any ideas how to achieve this? I’ve more details are needed no problem.

BR,
Daniel

jandafields · June 26, 2012, 2:47pm

abeggled:

Hi together,

I’ve a problem with IPSEC and NAT.
My topology:
|RB450G|
     ||
     || IPsec Tunnel
     ||
     ||
|RB1100AH|
RB1100AH = subnet 192.168.102.0/24
RB450G = subnet 192.168.44.0/24
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment=SourceNat disabled=no out-interface=internet
add action=dst-nat chain=dstnat disabled=no dst-port=443 in-interface=internet protocol=tcp to-addresses=192.168.102.131 to-ports=443
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=internet protocol=tcp to-addresses=192.168.102.131 to-ports=80
Problem:
All traffic hitting the RB1100AH from Remote-Site on Port 443 or 80 will be redirected to 192.168.102.131, which is simply logical in this scenario, but if this traffic does not have the dst-address of RB1100AH external address it should be routed to different hosts on the network.

Any ideas how to achieve this? I’ve more details are needed no problem.

BR,
Daniel

The age-old “Mikrotik IPSEC + NAT”… Mikrotik has constantly been “improving” IPSEC over NAT throughout the years… but myself and many others have finally given up on it ever working right through NAT.

Can you use another protocol like the Mikrotik SSTP instead? If you are completely set on using IPSEC, especially through NAT, I’ve come to the conclusion that Mikrotik isn’t a good choice.