[SOLVED] Source NAT across a VPN

noven · July 5, 2010, 4:36am

I have a reasonably complex routing requirement. I’ve made it work on Cisco, I’ve made it work on Snapgear but I can’t nut it out on Mikrotik.

Side A (source) has public IP address XXX.XXX.XXX.XXX and private LAN AAA.AAA.AAA.AAA/24 . Side B (destination) has public IP YYY.YYY.YYY.YYY and private LAN BBB.BBB.BBB.BBB/24. Now for the tricky part… destination needs all traffic to BBB.BBB.BBB.BBB/24 to come from source CCC.CCC.CCC.CCC/32.

Here’s what I’ve done so far…

/ip ipsec peer print
address=YYY.YYY.YYY.YYY/32:500 auth-method=pre-shared-key
secret=“strongpass” generate-policy=yes exchange-mode=aggressive
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=30s dpd-maximum-failures=5

/ip firewall nat print
chain=srcnat action=src-nat to-addresses=CCC.CCC.CCC.CCC
dst-address=BBB.BBB.BBB.BBB/24

IPsec tunnel connects phase 1 but phase 2 expires immediately. What else would be needed to achieve this goal? I can post a working cisco config if that would help.

What else is needed to achieve this outcome?

mcb · July 5, 2010, 6:55am

Had similar problem with Mikrotik and D-Link. Solved partialy by using SH1 instead of MD5. Tunnel was establishing
Still I couldn’t access Dlinks LAN from Mikrotik, luckily the needs where to access Mikrotiks LAN from D-Links subnet
Then solved it very simply - bought 2 Mikrotik routers and made a simple IPIP tunnel

fewi · July 5, 2010, 4:58pm

Try setting generate-policy to no and writing your own static phase two policies that select traffic from C.C.C.C/32 to B.B.B.B/24 and vice versa. The automatically generated policy can’t know about the NAT requirement.

noven · July 6, 2010, 10:22pm

Okay, I managed to get it. Create a bridge interface, desired assign source IP to it and then route across VPN from that address. The steps are:

Create IPSec peer
/ip ipsec peer print

address=YYY.YYY.YYY.YYY/32:500 auth-method=pre-shared-key
secret=“superstrongpwd” generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=30s dpd-maximum-failures=5

Create proposal
/ip ipsec proposal print
name=“Sunrise” auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=none

Create policy
/ip ipsec policy print
src-address=CCC.CCC.CCC.CCC/32:any dst-address=BBB.BBB.BBB.BBB/24:any protocol=all
action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=XXX.XXX.XXX.XXX sa-dst-address=YYY.YYY.YYY.YYY
proposal=Sunrise priority=0

Create a bridge interface
/interface bridge print
Flags: X - disabled, R - running
0 R name=“SunriseLAN” mtu=1500 l2mtu=65535 arp=proxy-arp mac-address=00:00:00:00:00:00
protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00
max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m

Assign desired source IP to the interface
/ip address print
;;; Sunrise Loopback
CCC.CCC.CCC.CCC/32 CCC.CCC.CCC.CCC CCC.CCC.CCC.CCC SunriseLAN

Create a source nat rule for the LAN to the remote LAN
;;; Sunrise
chain=srcnat action=src-nat to-addresses=CCC.CCC.CCC.CCC src-address=AAA.AAA.AAA.AAA/24
dst-address=BBB.BBB.BBB.BBB out-interface=SunriseLAN ← Note out-if is the bridge
And of course the IPsec masquerade bypass rule
;;; Sunrise VPN
chain=srcnat action=accept src-address=CCC.CCC.CCC.CCC dst-address=BBB.BBB.BBB.BBB/24

All working!