IPSEC NAT with different networks

Pakul · April 22, 2019, 6:17pm

Hello,
I have two network 192.168.0.0/24 for my LAN and 10.10.130.0/24 for IPSEC tunnel. I cannot use 192.168.0.0./24 for IPSEC network because it is used on another side.
I have IPsec tunnel with two policies:
my network 10.10.130.0/24 destination 10.10.1.15 and
my network 10.10.130.0/24 destination 10.10.2.15
How to NAT traffic from 192.168.0.0/24 to 10.10.1.15 and 10.10.2.15
Thank you

sindy · April 23, 2019, 1:19pm

I’m not completely clear regarding what is your network topology, but if you want packets coming from the LAN subnet 192.168.0.0/24 to be src-nated to one of the addresses from the 10.10.130.0/24 range, place rules like chain=srcnat action=src-nat src-address=192.168.0.0/24 dst-address=10.10.1.15 to-addresses=10.10.130.x to a proper place in /ip firewall nat (the order of rules matters also there!). If you can afford to systematically translate 192.168.0.X to 10.10.130.X and it makes sense for your application scenario, you can use chain=srcnat action=netmap src-address=192.168.0.0/24 dst-address=10.10.1.15 to-addresses=10.10.130.0/24 instead.

Of course, both methods require that you do not exclude packets from 192.168.0.0/24 to the remote destinations 10.10.1.15 and 10.10.2.15 from connection tracking (NAT is a functionality provided by connection tracking).

Pakul · April 23, 2019, 2:59pm

Hi,
Thank you for your reply. This rule chain=srcnat action=netmap src-address=192.168.0.0/24 dst-address=10.10.1.15 to-addresses=10.10.130.0/24 works, but i can only ping one dst adresses at time. If i kill site to site VPN than after it goes up ,I randomly can ping same or other adress, but only one adress at time. Maybe it is site to site vpn configuration problem, not NAting?
Regarding my topology all my computer use 192.168.0.0/24 network and 192.168.0.254 as gateway for all internet traffic. 10.10.130.0/24 is used only for tunnel to access servers on remote side 10.10.1.15, 10.10.2.15, 10.10.3.15 end others.

Pakul · April 23, 2019, 3:06pm

Found solution on another thread for random destination working, IPSEC → polices Level must be set up to unique.

sindy · April 23, 2019, 4:17pm

I’d suggest you to follow my automatic signature

Pakul · January 17, 2020, 9:29am

Hi,
Vpn connection from my.ext.ip.adr to another.ext.ip.adr. My local network 192.168.0.0/24 , my Ip adress 192.168.0.10 need to access another site 10.10.10.10. On my site i have Nated 192.168.0.10 to 172.10.10.10. Ping from 192.168.0.10 to 10.10.10.10 is working fine, in other direction also works. But my software cannot send data from my 192.168.0.10 to 10.10.10.10
What i need to do more?

add action=netmap chain=srcnat dst-address=10.10.10.10 src-address=
192.168.0.10 to-addresses=172.10.10.10
add action=netmap chain=dstnat dst-address=172.10.10.10 src-address=
10.10.10.10 to-addresses=192.168.0.10

add address=172.10.10.10 interface=ether2-master-local network=172.10.10.10

add comment=“vpn” dst-address=10.10.10.10 level=unique
peer=“peer1” proposal=“peer2” sa-dst-address=
another.ext.ip.adr sa-src-address=my.ext.ip.adr src-address=172.10.10.10/32 tunnel=
yes

Pakul · January 17, 2020, 1:12pm

Disabling fasttrack rule in firewall fixed problem.