Hello,
We have this scenario, that we want to establish an IPsec connection, but our internet subnet is also same on the opposite site (e.g 192.168.0.0/24). Unfortunately we can’t change our subnet.
I have seen in other routers that you create a virtual subnet, and the incoming traffic is forwarded to internal subnet. Is it possible in Mikrotik? (e .g 192.168.11.0/24 → 192.168.0.0/24).
And also opposite site in IPsec see the traffic coming from 192.168.11.0/24 instead of 192.168.0.0/24.
If you control both ends, you can say that virtual network for your side is 192.168.11.0/24 and remote is 192.168.12.0/24, then on your router do this:
/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.12.0/24 action=netmap to-addresses=192.168.11.0/24
add chain=dstnat src-address=192.168.12.0/24 dst-address=192.168.11.0/24 action=netmap to-addresses=192.168.0.0/24
And opposite (swap 11 and 12) on the remote one. In case you can’t do anything with remote side, it’s probably still possible, but slightly more difficult.
Thank you for your reply. The remote doesn’t want to create a Virtual Network. Is it okay to do it only on our side?
add chain=srcnat src-address=192.168.0.0/24 dst-address=10.200.120.0/24 action=netmap to-addresses=192.168.11.0/24
The map is as following:
Our Company
Local Network: 192.168.0.0/24
Remote Company
Local Network: 10.200.120.0/24
DMZ Network: 192.168.0.0/24
The IPsec VPN should be established between Local Networks. Since the Remote company has also the same subnet in the their Router, they asked us to use a Virtual Network for VPN.
If you don’t need to communicate with remote 192.168.0.0/24, then it’s easy, you can forget that it’s there. Just replace 192.168.12.0/24 in my example with 10.200.120.0/24 (you need both rules) and create policy for 192.168.11.0/24 ↔ 10.200.120.0/24.