Hi, I have a VPN over IPsec and need to make source nat before routing to IPsec VPN.
The problem of this VPN are that the encryption domain that my provider give us is different that our network, for it I need to create some nat rules to send the traffic over the correct encryption domain that they give us.
My network diagram is :
192.168.20.1 190.45.33.4 170.23.232.10
Lan ----------------------------- Fw ------------------------ Intenet ---------------------- FW provider ------- Lan
192.168.20.0/24 ether6 ether2 10.42.92.0/22
Our encryption domain is 10.80.63.155/32 and the my provider is 10.42.92.0/22
I need that all traffic that origin at Lan 192.168.20.0/24 that having the destination 10.42.92.0/22 send over Ipsec VPN with IP 10.80.63.155.
My VPN setup is :
/ip ipsec proposal
add enc-algorithms=3des lifetime=1d name=M-ipsec
/ip ipsec peer
add address=170.23.232.10/32 enc-algorithm=3des local-address=190.45.33.4 secret=“XXXX”
/ip ipsec policy
add dst-address=10.42.92.0/22 proposal=M-ipsec sa-dst-address=170.23.232.10 /
sa-src-address= 190.45.33.4 src-address=10.80.63.155/32 tunnel=yes
The nat that i believe work is to send traffic is :
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.42.92.0/22 log=yes log-prefix="NAT VPN: " out-interface=ether2 /
src-address=192.168.20.0/24 to-addresses=10.80.63.155
add action=dst-nat chain=dstnat dst-address=10.80.63.155 to-addresses=192.168.20.10
What is your opinion ? it’s work.
Give you comment
