IPsec behind NAT

rbuserdl · November 11, 2022, 1:12pm

Hello team!!!

I need to create an IPsec VPN between my Mikrotik and another router/firewall which I can not manage (I only can manage the Mikrotik side)
My LAN is 192.168.3.0/24, but this segment is in use in the remote network, so they asked me to change my lan or do a kind of nat.
I know how to create the VPN and how to nat, but I never mixed both features together.
I tried to add a srcnat to change my IP but with this rule enabled the ping never reach the another side.
Any suggestion to accomplish this by doing something in my side?

Thanks in advance.
Regards,
Damián

sindy · November 11, 2022, 5:34pm

Is it a bare IPsec with a policy? If so, bear in mind that the src-nat (in your case, the netmap action in srcnat chain) comes first, and then comes the policy matching. So a packet from 192.168.3.x must get src-nated to, say, 10.168.3.x, and the policy’s src-address must be 10.168.3.x at your side. If the connections should be established in both directions, you also need a netmap rule in dstnat chain.

rbuserdl · November 16, 2022, 12:31pm

Hello Sindy, I missed you!!!
Thanks a lot for your response!
Not sure what you mean with “bare”, this is just IPsec, not L2TP/IPsec or any other VPN with IPsec if you mean this
The netmap rule is something like this?

/ip firewall nat add action=netmap chain=srcnat comment="CGNAT rule" out-interface-list=WAN ipsec-policy=out

Then the src-nat action in another rule, and the netmap with dst-nat chain in another rule, right?

Thanks!
Regards!
Damián

Sob · November 16, 2022, 12:47pm

/ip firewall nat
add chain=srcnat src-address=<your real LAN subnet> dst-address=<remote subnet> action=netmap to-addresses=<your fake LAN subnet> comment="for outgoing connections"
add chain=dstnat src-address=<remote subnet> dst-address=<your fake LAN subnet> action=netmap to-addresses=<your real LAN subnet> comment="for incoming connections"

IPSec policy should be for ↔ . And real and fake subnets should have same size.

sindy · November 16, 2022, 1:09pm

Yes, that’s what I had in mind. Maybe I should have called it “standalone IPsec”.

No need to repeat @Sob’s correct answer

Yes, the netmap rules in srcnat and dstnat will handle solely the actual subnet to alias subnet translation; a separate src-nat/masquerade rule is necessary for the traffic from LAN to internet. But since the source subnet will likely be the same for both, it is important that the netmap rule in srcnat chain that matches on dst-adress=remo.te.sub.net/mask is placed before (above) the src-nat/masquerade one. Or you could add a route to remo.te.sub.net/mask and set its gateway to some port-less bridge created for the purpose, and then let the netmap rule match on out-interface=name-of-that-bridge. This might make sense if you want to prevent traffic that should go through the tunnel from leaking via WAN if the tunnel is down and the IPsec policy is created dynamically (a static policy intercepts the traffic even if the tunnel is down).

rbuserdl · November 17, 2022, 12:41pm

Thanks a lot to both!!!
I just see that the rule I wrote before has no sense because this does not have any address
What you both said makes sense to me, I will try soon

Regards,
Damián