Hi, I have two internal VLANs and one internet connection:
dynamic internet IP => WAN
192.168.100.0/24 => LAB_A
192.168.101.0/24 => LAB_B
I would like external users to be able to connect in from their remote location (they will be behind another firewall, probably on a generic address like 192.168.1.0/24) via IPSEC VPN, but only give them access to LAB_B but deny access to LAB_A?
This remote client address will not be known in advance.
I can see on Shrew Soft VPN client (pure IPSEC client) that when the tunnel is up, on the client software it only shows the remote server endpoint IP… it doesnt show any locally allocated address.
If you are referring to a remote pool, would this be a PPP pool such as L2TP?
As I understand pure IPSEC without PPP, it tunnels everything over the network connection as opposed to creating a new interface with its own IP. Or is this totally wrong?
ok so you want Mikrotik as a IPSEC server and user having IPSEC client software, which can connect remotely to the LAN B pool behind Mikrotik.
In this case you don’t need policy on mikrotik server only default peer is required with generate policy checked. And also use ip firewall nat rules. (/ip firewall nat add chain=forward src-address=!192.168.100.0/24 dst-address=0.0.0.0/0 action=accept).