We have configured a CHR in Hetzner and established a tunnel with customer. The customer has required a source NAT from our network to a provided IP in their network.
Our local network is 172.16.0.0/16 with WAN IP 2.2.2.2. We need to source NAT traffic from it to 172.31.254.90. The remote network is 10.127.0.0/16 with public IP 1.1.1.1. The tunnel is up and I see Tx packet/byte counters increasing in IPsec peer monitoring, but not Rx - not getting any traffic back.
I have added my config below, but as I am new to IPsec and IPsec+NAT world, I would appreciate getting some assistance on this issue. I’ve looked through numerous threads on the forum, but haven’t been able to spot the problem in my configuration.
# sep/03/2020 12:27:26 by RouterOS 6.47.3
# software id =
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128
add dh-group=modp1024 enc-algorithm=aes-256 lifetime=8h name=Customer nat-traversal=no
/ip ipsec peer
add address=1.1.1.1/32 name=Customer profile=Customer
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm
add enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=8h name=Customer
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/ip dhcp-client
add disabled=no interface=ether1
add disabled=no interface=ether2
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=172.16.0.0/16 list=local_network
/ip firewall filter
add action=accept chain=input dst-port=22 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="IPsec with Customer" dst-port=500,4500 protocol=udp src-address=1.1.1.1
add action=accept chain=input protocol=ipsec-esp src-address=1.1.1.1
add action=accept chain=input comment="Allow all connectivity from office" src-address=84.50.246.221
add action=accept chain=forward dst-address=10.127.0.0/16 ipsec-policy=in,ipsec log=yes log-prefix=forward-ipsec
add action=accept chain=forward dst-address=172.16.0.0/16 ipsec-policy=in,ipsec log=yes log-prefix=vpn-forward
add action=accept chain=forward ipsec-policy=in,ipsec log=yes log-prefix=vpn-forward src-address=10.127.0.0/16
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=input comment="Last rule in chain" log=yes
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.127.0.0/16 log=yes log-prefix=CustomerNAT src-address=172.16.0.0/16 to-addresses=172.31.254.90
add action=accept chain=srcnat dst-address=10.127.0.0/16 log=yes log-prefix="Customer NAT" src-address=172.16.0.0/16
add action=masquerade chain=srcnat log=yes log-prefix=out-src-nat out-interface=ether1
/ip ipsec identity
add my-id=address:2.2.2.2 peer=Customer remote-id=fqdn:1.1.1.1
/ip ipsec policy
add dst-address=10.127.0.0/16 peer=Customer proposal=Customer sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=172.31.254.90/32 tunnel=yes
/system clock
set time-zone-name=Europe/Berlin