NAT through IPSec

janculis · February 18, 2013, 1:54pm

Greetings
I must deal with one problem, i can’t handle.

Problem… I have two routers - Router 1 and router 2.
I setup IPSec between routers using http://gregsowell.com/?p=787 materials
But I created new networks on different ports.
What I must and how I must do, to access between those networks?

configuration Router 1

/ip firewall nat
add action=accept chain=srcnat comment="IPSec" \
    disabled=no dst-address=192.168.0.0/16 src-address=192.168.2.0/24

/ip ipsec peer
add address=1.1.1.1/32 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
    exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
    lifetime=1d my-id-user-fqdn="" nat-traversal=yes port=500 proposal-check=\
    obey secret="passwd" send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.1.0/24 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 \
    src-address=192.168.2.0/24 src-port=any tunnel=yes

configuration Router2

add action=accept chain=srcnat comment=\
    "IPSec" disabled=no dst-address=\
    192.168.0.0/16 src-address=192.168.1.0/24

/ip ipsec peer
add address=2.2.2.2/32 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
    exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
    lifetime=1d my-id-user-fqdn="" nat-traversal=yes port=500 proposal-check=\
    obey secret="passwd" send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.2.0/24 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 \
    src-address=192.168.1.0/24 src-port=any tunnel=yes

I want to from 192.168.2.0/24; 192.168.102.0/24 Router 2 access Router 1 192.168.1.0/24; 192.168.100.0/24; 192.168.101.0/24 in both ways. How to deal with that?

janculis · February 19, 2013, 8:07am

I managed to make it work. Added new policies for network in IP-> IPSec

I just wondering, why from router2 telnet I cannot ping router1 internal gateway 192.168.1.1, but from machines in LAN I can. From Router1 I can ping router2 internal GW 192.168.2.1 and other resources. Why so?