I have two sites with Mikrotik routers, Site A and Site B. The sites are interconnected through an IPIP tunnel over IPSEC.
The sites are properly connected, and Site B can access the VLANs of Site A.
At Site A, I have a policy-based IPSEC tunnel to Site C. Site A can connect to Site C, but Site B cannot connect to Site C.
On the router at Site B, the route to Site C is configured through the IPIP tunnel.
When I perform a traceroute from a host in Site B to Site C, I see that it reaches the public IP of Site A, but it does not reach the host in Site C.
The local network of the IPSEC tunnel is outside my network range, so I resolve this by using NAT.
The NAT is configured as follows:
chain: srcnat
Dst Address: The remote local IPSEC network
Action: src-nat
To address: The local network of Site A (virtual) defined in the IPSEC tunnel
The networks in Site A use the same NAT to reach Site C.
I have used the Torch tool, and I can see ICMP traffic going through the IPIP tunnel from a host in Site B to Site C.
I see that the host from Site B passes through the firewall rule at Site A that allows the connection to Site C.
However, I do not see the srcnat rule intercepting the request from the host in Site B to Site C (the packet count does not increase).
I see that the prerouting mangle rule intercepts the request from the host in Site B to Site C (I see the packet count increasing).
With the Torch tool, I can see that the destination IP is returning the ICMP to the Source-NAT.
I am attaching a diagram of my network.
According to the connection statistics, I can see that there is a response from the IPSEC.
How can I determine if the packet is returning from Site C to Site A?
Can someone explain where the packet is being lost, where I can see it, or a possible solution?
I believe I have an issue with the return path.
