IPSec nat problem

vcapetillo · December 9, 2015, 1:18pm

Hi, I´m trying to make work and instalation where i need to interconect by IPSec a windows server runnig a smpp gateway with a smsc server. The windows server is behind a CCR1009-8G-1s Mikrotik, to handle the IPSec connection, but the actual layout dont work, because i think the server is over the switched port to the internet connectión.
I need to implement a routing scheme with the restrictión of the IPSec IP´s that was negociated with the providers, (3) as the diagram.
If i move the server ip (x.x.116.69) to the eth1 of the router and then make a full nat from this ip to the internal port of the server (10.10.31.69/24), can the IPSec work, and send the Src Add as the external IP (x.x.116.69)?
Any suggestión for this solution?
Your help will be appreciated.
original net 0.1.jpg

ZeroByte · December 9, 2015, 1:48pm

[quote=“vcapetillo”]
If i move the server ip (x.x.116.69) to the eth1 of the router and then make a full nat from this ip to the internal port of the server (10.10.31.69/24), can the IPSec work, and send the Src Add as the external IP (x.x.116.69)?

That’s what you need to do. If the x.x.116.69 address lives on the server, and the server is connected outside of the router, then the server’s packets aren’t going to go through the router to get encapsulated with IPSec. (you could actually make it work, but it would be a strange configuration that would be hard to explain to other techs / harder to troubleshoot.)

Basically, you will build the NAT as you would for any non-IPSec configuration (dst-nat and src-nat rules for the server which come before the default NAT rule) but with the following exception:

You just make sure that you allow the server’s public IP in the IPSec policy when the destination is the remote network.

vcapetillo · December 9, 2015, 2:45pm

ZeroByte:

vcapetillo:

If i move the server ip (x.x.116.69) to the eth1 of the router and then make a full nat from this ip to the internal port of the server (10.10.31.69/24), can the IPSec work, and send the Src Add as the external IP (x.x.116.69)?

That’s what you need to do. If the x.x.116.69 address lives on the server, and the server is connected outside of the router, then the server’s packets aren’t going to go through the router to get encapsulated with IPSec. (you could actually make it work, but it would be a strange configuration that would be hard to explain to other techs / harder to troubleshoot.)

Basically, you will build the NAT as you would for any non-IPSec configuration (dst-nat and src-nat rules for the server which come before the default NAT rule) but with the following exception:

You just make sure that you allow the server’s public IP in the IPSec policy when the destination is the remote network.

Ok perfect, now the full nat is working, but about your “exception”, the IPSec policy have the public (Nated) adr of the server (x.x.116.68/30 that include x.x.116.69) not the internal IP, is correct?
and other thing, now the other port of the server (old x.x.116.69, now x.x.116.81) is conected to eth3 switched with eth1 in the router moving not IPSec´s destinations, do you thing that is better to disconect this port ans route all by the natted port, with proper nat roule for other destinations?
Thanks a lot for your help and your time
regards
new net 1.jpg

ZeroByte · December 9, 2015, 2:50pm

God, yes!

Keep all of the decision-making in the logical place: your router. Let the host be straightforward as possible. If a desired behavior can be accomplished but only by making multiple devices do ‘unusual’ things all in a certain special way, you’re going to want to jump off of a cliff some day in the future when the tangled mess you’ve made either prevents you from doing something else you want to do, or suddenly stops working for some unknown reason.

vcapetillo · December 9, 2015, 3:10pm

ok, clear, thanks very much
Now i will make the changes
regards