If you’re going to source NAT to a single IP you’ll want to use MASQUERADE for PAT with multiple possible source addresses.
If you want to NAT 1:1 dynamically all of the IPs in 10.0.0.0/24 to IPs from say 10.114.0.0/24 then change to the to-addresses to 10.114.0.0/24 and leave the action as SRCNAT.
Janis would disagree with that - In his entertaining “common ROS configuration mistakes” presentation at MUM events, he states that MASQUERADE is intended for dynamic IP interfaces, for the most part.
If you want to do 1:1 NAT, then I would say that action=netmap is probably the best choice, as it’s stateless and breaks less stuff than stateful NAT does. (of course this requires 2 netmap rules because you need to also do a dstnat chain NETMAP action as well)
In general, I’d say that the thing probably standing in the way is the policy configuration where the traffic selectors need to know the post-NAT src IP used for tunnel encapsulation. If you do srcnat on traffic that should be tunneled in IPSEC, then you need to select after srcnat because encapsulation happens after srcnat (see the ROSv6 packet flow diagram).
Not 1:1, but hiding behind 1 ip should be fine.
masquerade will probably not work anyway because you can’t select the vpn as an interface.
btw, i’m at the site i’m connecting to and notice now my packets are correctly source NAT-ted and transported over the vpn. The problem is probably on the way back its not translated back or routed back.
I’ve tried changing the NAT ip to 10.114.0.1 (because this is an ip on the mikrotik itself). didn’t do the trick.