IPsec s2s and src-nat :-/

cbka · June 22, 2021, 1:26pm

Hello my follow tiks

We have kind of a situation here…

i have
zabbix 172.30.5.190 with default gw mtik1
mtik 1:

ether2 - 172.30.5.1/24

and mtik 2:

 ether2 - 172.30.5.110/24 
 ether3 - 172.24.255.1/24

and offsite

mtik 3:

ether2 - 172.24.60.1/24

mtik1 is default gw for zabbix and i added a route to it:

/ip route
add distance=1 dst-address=172.24.0.0/16 gateway=172.30.5.110

mtik2 connects to mtik3 with IPsec IKEv2

Policies are 172.24.255.0/24 ↔ 172.24.60.0/24

now i want to monitor mtik 3 with zabbix

to accompish that i added a src-nat to mtik2

/ip firewall nat 
add action=src-nat chain=srcnat dst-address=172.24.0.0/16 src-address=172.30.5.190 to-addresses=172.24.255.1

on mtik3 i see incoming ICMP from zabbix with src-address 172.24.255.1 but i can not receive echo reply on zabbix

what am i missin ?

Cheers

Chris

cbka · June 24, 2021, 7:28am

anybody ?

sindy · June 27, 2021, 5:05pm

How exactly do you “see” it? Using /tool sniffer or using some action=log or log=yes firewall rule?

I would suspect most a firewall rule in chain input of /ip firewall filter to drop the ICMP echo request packets. Packets decapsulated from IPsec transport ones inherit the in-interface attribute from the transport ones, so if you drop anything coming from WAN except connection-state=established,related, this could be the explanation.

If the above is not sufficient, post the complete configuration of mtik3, following the hint in my automatic signature below.

cbka · July 18, 2021, 7:16pm

Thanks for answering sindy. i was away for vaccation but am back now
I will try to analyze what u said and keep u posted. thanks anyways,

Cheers, chris