IPSec NAT translation?

miro · October 18, 2017, 11:50am

Hi guys.
At one of my clients I have to change Cisco router with Mikrotik. In ipsec they have nat translation - that means that LAN subnet is 192.168.1.0/24, but through ipsec tunnel this subnet is ‘‘advertised’’ as a subnet 10.99.62.0/24.

Can that be done with:
ip firewall nat add src-address=192.168.1.0/24 dst-address=10.3.248.82 action=src-nat to-addresses=10.99.62.0/24
Will every ip from 192.168… subnet be src-nated from 10.99.62.0/24 pool, or I have to make dummy bridge and put on all 254 ip addresses from 10.99.. subnet and than make 254 rules in nat…?

Bellow is copy/paste from cisco…
zzzz#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: CM-VPN, local addr x.x.x.x

protected vrf: (none)
local ident (addr/mask/prot/port): (10.99.62.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.3.248.82/255.255.255.255/0/0)
current_peer y.y.y.y port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)

crypto map CM-VPN 12 ipsec-isakmp
description *** vvvvv ***
set peer y.y.y.y
set transform-set ESP-3DES-SHA
match address 124

access-list 124 permit ip 10.99.62.0 0.0.0.255 host 10.3.248.55
access-list 124 permit ip 10.99.62.0 0.0.0.255 host 10.3.248.82
access-list 124 permit ip 10.99.62.0 0.0.0.255 host 10.3.40.101
access-list 124 permit ip 10.99.62.0 0.0.0.255 host 10.3.248.224

ip nat pool iIPSEC 10.99.62.1 10.99.62.254 netmask 255.255.255.0
ip nat pool oIPSEC 192.168.1.1 192.168.1.254 netmask 255.255.255.0

andriys · October 18, 2017, 5:46pm

Yes, this will work, though I would use action=netmap instead of action=src-nat in this case. Also do not forget to specify chain. And you will have to specify the 10.99.62.0/24 network as a source in the IPsec policy.

miro · October 19, 2017, 7:02am

Thanks…
I’ll try with netmap. Although I must admit I don’t fully understand what the difference between action=src-nat and netmap…
I’ll report on final setup in about a week…

I would like to ask for a little more help. I don’t fully understand cisco sintaks. Please check if I understand configuration correctly. Bellow is sample from cisco and corespond example of command in RouterOS… I know how to setup parameters in Mikrotik, I would like to only check if I’ve understand Cisco configuration…

RouterOS:
ip ipsec peer add hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1536 …

Cisco:
crypto isakmp policy 12
encr 3des
authentication pre-share
group 5
crypto map CM-VPN 12 ipsec-isakmp
description *** zzzzzzzzzzz ***
set peer x.x.x.x

RouterOS
ip ipsec proposal add auth-algorithms=sha1 enc-algorithms=3des name=foo

Cisco:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

RouterOS:
ip ipsec policy add src-address=10.99.62.0/24 dst-address=10.3.248.0/24 proposal=foo…

Cisco
crypto map CM-VPN 12 ipsec-isakmp
description *** zzzzzzzzz ***
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address 124

andriys · October 19, 2017, 7:13am

netmap maps IP addresses 1:1 and never changes port numbers, whereas src-nat may change source port as well.

I don’t really have time right now to review you configuration, but here’s a couple of tips. The “crypto ikev1 policy” (or “crypto isakmp policy”) configuration blocks refer to phase1 (peer configuration in Mikrotik). All the defined policies are common to all peers (but only one is negotiated and used). The “crypto map” configuration blocks refer to phase2 (IPsec proposals in Mikrotik). Access list that “crypto map” block refers to is your IPsec policies. The rest should be easy to guess.

Also please specify what Cisco are you migrating from, running ios or ASA.

miro · October 19, 2017, 8:30am

it’s ios…

miro · October 19, 2017, 10:00am

Thanks… I was thinking the same, but I couldn’t find nice article about which phase is configured where in cisco.. In mikrotik is pretty obvious and easy to understand (for me) which phase is configured in which module…

One more question…

All the defined policies are common to all peers (but only one is negotiated and used).

How are the negotiated? Are they ‘‘tried’’ in order - like firewall rules and first which applies, is negotiated, or is it some other logic…?

andriys · October 19, 2017, 10:22am

No. First, please note that what Cisco calls “iskmp policy” is, in fact, a phase1 proposal. Initiator sends a list of proposals it is willing to support, and responder just accepts one from the list (or responds with NO_PROPOSAL_CHOSEN error in case no supported proposal is offered). This is how IPsec works irrespective of the vendor. And also this algorithm is common for both phase1 and phase2, just the list of proposals may be different for each.