Hi,
I am having trouble with the configuration of my site-to-site IPSec tunnel. The point is that the remote peer (RB750) is behind NAT. Of course, there is a public IP address forwarded to the RB750 device. The IPSec policy is:
src-address=192.168.127.0/24 src-port=any dst-address=192.168.4.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=192.168.250.3 sa-dst-address=91.x.x.x proposal=default priority=0
The firewall-NAT rule is
chain=srcnat action=masquerade src-address=192.168.127.0/24 dst-address=192.168.4.0/24
Now I can access the remote LAN 192.168.127.0/24 which is behind RB750. However, my local LAN is not accessible from RB750. What should I do to get it working?
Thing is that public IP on RB750 shouldn’t be forwarded. You need an interface on that RB750 with specified public IP address assigned. That public IP have to be routed through whole network. There’s no use of a forwaded or NAT-ed public IP in case of IPsec, because IPsec’s AH protocol adds a header to an IP packet. Value of AH header is calculated from IP packet fields. If you NAT that packet, you actually change some of the IP fields of the packet, resulting it won’t pass authentication upon arrival - AH header is different because some of IP packet fields dont have same values.
On your edge router, you have to masquerade all traffic that exit your network. All - except those public IP assigned to RB750. You have to accept them. That rule needs to be before of masquerade.
I had few problems before it worked for me. I hope you will get this working, if u don’t i can put some drawings if needed.