IPSec IKEv2 Tunnel - no internet

Hello,

I was following a guide from here on how to setup a IPSec Site-to-site tunnel. Currently its connected to my local network for testing before deploying.
I am having problems getting internet from the remote site from the local network. So from 192.168.110.0/24 → Internet unless i enable the masquerade rule i setup in NAT:

/ip firewall nat
add action=masquerade chain=srcnat dst-address=!192.168.100.0/24 \
    out-interface-list=WAN

This is me pinging first with the NAT rule than without.

[mike6715b@Client MT] > ping 1.1.1.1 src-address=192.168.110.1
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 1.1.1.1                                    56  57 11ms 
    1 1.1.1.1                                    56  57 11ms 
    2 1.1.1.1                                    56  57 11ms 
    sent=3 received=3 packet-loss=0% min-rtt=11ms avg-rtt=11ms max-rtt=11ms 

[mike6715b@Client MT] > ping 1.1.1.1 src-address=192.168.110.1
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 1.1.1.1                                                 timeout            
    1 1.1.1.1                                                 timeout            
    2 1.1.1.1                                                 timeout            
    sent=3 received=0 packet-loss=100% 

[mike6715b@Stragatrans ZG] >

I have a feeling that this is not the proper way of setting this up so im just hopping to get some guidance on how you would more properly set this up.
Other than that, connection works flawlessly and i can ping the from remote to local and the other way around.

IP addresses:
Client site LAN: 192.168.110.0/24
VPN tunnel: 10.20.0.0/24
HQ LAN: 192.168.100.0/24
My network: 192.168.20.0/24 (Using this as “Internet” for mikrotiks)

Client export included:
help.rsc (4.34 KB)

After some more reaserch on nating rules and ip-sec policy i found that this rule allows internet to work on the client side

/ip firewall nat
  add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec

Would this be the correct way of setting this up?

Here are some of my written guides. Check all of them:)

• http://forum.mikrotik.com/t/mikrotik-behind-nat-to-mikrotik-ipsec-ike2-with-certs-tunnel-eoip/144952/1
• http://forum.mikrotik.com/t/ipsec-ike2-with-certificates-vpn-server-guide-for-remote-access/149434/1
• http://forum.mikrotik.com/t/nordvpn-ipsec-ikev2-killswitch-for-ros6/144817/1

The VPN server will not be behind NAT.
Also, I’m not usting a EoIP Interface for the tunnel but all policy based.

From what i gather, this would be the main solution for me:

# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.3 to-addresses=10.22.22.1 place-before=0

I seem to have fixed the problem for now.
I will leave it at that.

The guide for VPN Client Setup for Windows 10 will come in handy tho, thanks!