Hello,
I’ve established a IPsec VPN connection, to a party that has the IP: 171.11.153.20/32 and on my side I’ve been asigned with this IP 171.11.120.21/32. My LAN has 192.168.1.0/24 address. The questions is, what firewall/NAT rules I should create on my mikrotik so clients from my LAN 192.168.1.0/24 could reach the server with the IP 171.11.153.20/32 ?
Thank you.
I’d suggest using the following IPsec policy on the local router:
/ip ipsec policy
add action=encrypt src-address=192.168.1.0/24 dst-address=171.11.153.20
And one with swapped source and destination addresses on the remote party
I’ve explained above that there is a policy rule already. Thank you, but you didn’t provide a solution.
/ip ipsec policy
dst-address=171.11.153.20/32 level=unique peer=New proposal=New sa-dst-address=81.***.***.** sa-src-address=152.***.***.** src-address=171.11.120.21/32 tunnel=yes
What firewall/nat rule shoud I add so clients from my LAN 192.168.1.0/24 shoud reach 71.11.153.20/32 ?
Thank you.
@TheCat12 has already hinted at how the policy should look for the LAN src address 192.168.1.0/24.
Unfortunately, I don’t have the right to choose, they given me an IP and I have to use it and it’s my problem how I will do it. There will be no other policy rule to be created. There shoud be a NAT/Firewall rule to work for my case.
Okay, that sounds odd. The IPsec policy is usually pretty straightforward: the src-address and dst-address represent which local networks (subnets) the traffic should be encrypted between. The sa-src and sa-dst addresses are the respective WAN (internet) endpoint addresses for the encrypted tunnel.
In your case, you only provided two single LAN addresses, i.e., 171.11.153.20/32 and 171.11.120.21/32 to be encrypted.
You could possibly add a src-nat rule something like
/ip firewall nat
chain=srcnat dst-address=171.11.153.20 src-address=192.168.1.0/24 action=src-nat to-addresses=171.11.153.21
Move it up above any masquerade rules already there.