Hi,
I’m using a MirotikRouter to connect to my company’s Network via IPSec. Everything works, but the IPSec Server uses 0.0.0.0/0 as subnet specifier, therefore the router sends all the traffic through the company network. I’d prefer to send only requests to the company network (192.168.0.0/24) through vpn and everything else through the regular routing.
[admin@SpikeBox] > /ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 local_lan 10.0.1.0/24 aug/16/2020 11:06:30
.
[admin@SpikeBox] > /ip ipsec mode-config print
Flags: * - default, R - responder
0 * name="request-only" responder=no use-responder-dns=exclusively
1 name="Work" responder=no src-address-list=local_lan use-responder-dns=yes
.
[admin@SpikeBox] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; ipsec mode-config
chain=srcnat action=src-nat to-addresses=10.10.10.11 src-address-list=local_lan dst-address-list=!local_lan
1 X ;;; Manual IPSec Routing for 192.168.0.0/24 only
chain=srcnat action=src-nat to-addresses=10.10.10.11 src-address=10.0.1.0/24 dst-address=192.168.0.0/24 log=no log-prefix=""
[...]
If i delete the dynamic rule that’s created by the mode-config and use the manual one, it works. But the 10.10.10.11 IP is dynamically assigned by the IPSec server so if the lease expires it won’t be updated automatically in the manual rule.
Is there a way to narrow down the dst-address-list in the dynamically generated rule so it won’t include everything in !local_lan but only 192.168.0.0/24 like in the manual rule?