I maked a standard IPSec tunnel.
The tunnel is in the Established state.
The router sends packets from one subnet to another to the Internet, and not to the tunnel (I check through tracert). On the other hand too.
FastTrack and FastPath are disabled.
How is that in general? I thought that I made a mistake somewhere, double-checked everything, deleted the tunnel, re-created it. Likewise.
There are rules in masquerade in the NAT of both routers, they are higher than the standard ones.
chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.10.0/24 log=no log-prefix=“”
In the second router it’s the other way around:
chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.1.0/24 log=no log-prefix=“”
Why he’s sending packets to the internet without knowing anything about the tunnel?
Not enough information (see my automatic signature below), but in the typical case where the IPsec policy is a tunnel (not transport) one and says src-address=192.168.1.0/24 dst-address=192.168.10.0/24 on the first router, you have to prevent connections from 192.168.1.0/24 to 192.168.10.0/24 from getting src-nated (masqueraded) to an address outside the 192.168.1.0/24 range. I.e. your rules in chain srcnat should have action=accept rather than action=masquerade.