I need to have an IPSec client, connecting to my Mikrotik IPSec server/router, reach an external IP address (not in my network). I added the remote address to the split include and it appears in the client’s routing table. I am presently unable to reach the remote site via this method. I’m trying to migrate to Mikrotik-hosted IPSec from OpenVPN hosted by an internal server. The OpenVPN method works - this is the last function I haven’t been able to complete.
My first NAT rule is:
/ip firewall nat
add action=src-nat chain=srcnat comment=“non-IPSec to Internet NAT to public IP”
ipsec-policy=out,none out-interface=ether1-Internet to-addresses=my.public.ip.address
Do I need to have an additional or different NAT rule for this to work?
The answer is - don’t use the “notrack” chain option of the identity. Instead, leave that blank/unspecified and manually create srcnat rule(s) that handle the traffic as appropriate.
The “old” way of setting up IPSec was to manually create an “accept” rule in the srcnat table prior to any actual “srcnat” rules. As of…whatever version…a convenience feature of “notrack chain” was added to the identity configuration. By setting a notrack chain the router would automagically create entries in the RAW table to bypass any NAT or filtering. For many applications this works fine - but if special handling is needed the simple “notrack” option can’t be used. And manually creating a specific “accept” rule in RAW to bypass the dynamically created “notrack” rules doesn’t work because the dynamic rules are inserted at the top of the table - which will take priority over the manual rules and thus invalidate the configuration.
Instead, for any IPSec connections requiring “special” handling - leave notrack blank/unspecified and create the “old” srcnat-accept rules as required.