No traffic thru IPSEC Tunnel with Netmap

RouterOS General
1

I’ve configured a IPSEC tunnel with a remote site. My site is using a CRS109-8G-1S-2HnD current version is 6.41.2 and the far site is using a Cisco ASA5520.
The farsite is requiring that we NAT our entire subnet to be compatible with their network. So I have an established IPSEC tunnel, and I’ve created some firewall rules to handle the netmap.

My network is 192.168.1.0/24
Farsite is 172.20.20.0/24
I’m netmapping my network to 10.250.250.0/24 thru the tunnel.

The IPSEC tunnel is working / established, but I’m not able to ping anything on farsite and they are not able to ping us / connect to server.
These are my current Firewall rules.
rule0 /ip firewall nat chain=dstnat dst-address=10.250.250.0/24 src-address=172.20.20.0/24 action=netmap to-addresses=192.168.1.0/24
rule1 /ip firewall nat chain=srcnat dst-address=172.20.200.0/24 src-address=192.168.1.0/24 action=netmap to-addresses=10.250.250.0/24
( rule3 /ip firewall nat chain=srcnat action=masquerade out-interface=ether1 )

I’m not seeing any traffic / bytes on the rule counters. Again can’t ping / connect to anything through the tunnel. Am I missing something? I’ve created a route to 172.20.20.0/24 gateway=ether1 distance=1.

2

There is a lot to miss in IPsec configuration. Starting from the fact that “IPsec tunnel” may mean both IPsec policy in tunnel mode (which “steals” packets after they have been already routed completely and are just about to be physically sent out) and IPsec policy matching only on packets of a tunnelling protocol such as GRE or IPIP (which is terminated on a virtual interface so routing is done the “normal” way, via that interface).

Check that you haven’t disabled connection tracking for the packets you wish to netmap - NAT is part of connection tracking.

If this is not the case, please provide the output of “/export hide-sensitive” after systematically replacing any public IP address you don’t want to disclose with a unique pattern such as a.a.a.a. And the IPsec settings at Cisco end would be helpful too if you can get them, just to check that the tunnel itself can do what you expect.

3

That was precisely what was happening. As I was prep’ing the output of /export hide-sensitive .. I came across an old (and obviously overlooked) security Filter rule. I was like .. “WTH ..That’s never going to work!”.

The export command is pretty useful!

Thank you sir!