Hi guys,
Does packet after decryption goes through routing decision, or is it send direct to forward facility?
Configuration is following:
On my local subnet there is 192.168.1.0/24 subnet, at our customer is 192.168.2.0/24 subnet.
IP 192.168.1.100 is in src-nat translated to 10.5.5.1/32, at customer they have translation 192.168.2.150 to 10.6.6.50/32.
In IPsec I have policy which encrypt 10.5.5.1/32 → 10.6.6.50/32
IPSec is working ok. Both phases are established.
So, to established comunication from customer host to my host I have dst-nat rule which is making dst-nat from 10.5.5.1 → 192.168.1.100.
Question is, does packet which comes from IPSec tunel, is after decryption sent to routing decision, where dst-nat is being performed or, is sent direct to forward facility…?
I would like to be sure if I miss something, or guy from the other side does not know how to make nat translation… At customer side there is Draytek, so there I don’t have debuging capabilities from Mikrotik…
My conf:
ip firewall nat print
chain=srcnat action=src-nat to-addresses=10.5.5.1 src-address=192.168.1.100 dst-address=10.6.6.50 log=no
log-prefix="bla___"
chain=dstnat action=dst-nat to-addresses=192.168.1.100 src-address=10.6.6.50 dst-address=10.5.5.1 log=no log-prefix="bla___"
ip ipsec policy print
src-address=10.5.5.1/32 src-port=any dst-address=10.6.6.50/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=x.x.x.x sa-dst-address=y.y.y.y proposal=foo ph2-count=1
