i’m getting the SSL error failed to connect with capsul-vpn. i have a CP 3600 behind a mikrotik router, i’ve created a NAT rule to redirect port 10.10.11.2:443 (public ip) on the microtik to port 10.10.10.1:443 (ip LAN) on the CP. When the destination address (10.10.11.2) is specified in the microtik’s NAT rule, some web pages are not displayed and the remote VPN passes normally. But when it is not specified, the web pages are displayed but the remote VPN no longer works. Do you have any ideas? I’m thinking of a conflict on the port, but how can I resolve it?
What do you mean by “When the destination address (10.10.11.2) is specified in the microtik’s NAT rule, some web pages are not displayed” … which web pages, where are they hosted?
Just to clarify: you are setting dst-address=10.10.11.2 on DST-NAT rule? What if you set in-interface= instead?
in the nat (general) if I select dst-address= 160.X.X.X (public ip) and Dst port=443, then in action (action:dst-nat) to addresses: 172.X.X.X (Ip of the checkpoint firewall) to port:443, the web pages display in the browsers. But if I leave dst-address= empty (public ip) and Dst port=443, the VPN works but the web pages don’t work.
Sorry, I don’t know how to attach an image to this forum.
The problem is this: DST-NAT rule is evaluated for every packet[] passing router in any direction. Which means that also packets for connections, originating in LAN and targeting internet, will trigger NAT rule evaluation. It’s then the selecting properties of each NAT rule to narrow down selection of packets which need execution of a rule.
To be more concrete: DST-NAT should only be performed on packets, which ingress router from internet[**] and are targeting TCP port 443. Packets, which ingress router from LAN and are targeting internet servers, should definitely bypass the DST-NAT rule.
[] Actually it’s not every packet, things are a bit optimized.
[**] There are a few ways to match only packets which should trigger DST-NAT rule. One is to match on dst-address (it should be router’s WAN IP address), another one is to match on input interface (it should be WAN interface). Both options have variants with “-list”, which match on address list membership or interface list nembership. Each of the two ootions (dst address, input interface) has its own good and bad sides, default ROS setup works with interface list as it offers highest flexibility (but is not without drawbacks).
