I don’t understand.
Why do I need a src-nat accept rule in order to get IPSec functional.
System setup explanation:
I have 2 locations, each with static IP over PPPoE initiated from an RB951. One is L2TP server, the other is L2TP client.
I connect from A to the public IP of B, this works fine.
On each RB a dedicated IP segment for local network (192.168.1.0/24 and 192.168.2.0/24)
Created IPSec settings as found on various posts.
On system A
/ip ipsec peer
add address=<WAN of B> enc-algorithm=3des secret=<secret>
/ip ipsec policy
add dst-address=<lan of B> sa-dst-address=<WAN of B> src-address=<lan of A> sa-src-address=<WAN of A> tunnel=yes
On system B
/ip ipsec peer
add address=<WAN of A> enc-algorithm=3des secret=<secret>
/ip ipsec policy
add dst-address=<lan of A> sa-dst-address=<WAN of A> src-address=<lan of B> sa-src-address=<WAN of B> tunnel=yes
For both systems I have made routes
/ip route
add dst-address=<other lan> gateway=<lt2p-interface>
On the firewall NAT I have the following (on both systems)
/ip firewall nat
add chain=srcnat action=masquerade src-address=<local LAN> out-interface=PPPoE-out
Why do I need an additional rule like this? (seen of system A)
/ip firewall nat
add chain=srcnat action=accept src-address= dst-address=
As far as I know the masquerading rule “should” not catch the outgoing traffic towards the other side of the tunnel, because it is not exiting the router over the PPPoE session.
Where is my thought going wrong?