VPN IPSEC NAT'ing

RouterOS Beginner Basics
1

Hi,

I’m beginner in mikrotik’s configurations so i have a request.

There is image:

And this is vpn ipsec tunnel and i must have NAT’ed my local lan (10.0.0.0/24) with 172.29.12.124/30.
I can’t manage router behind tunnel and servers, i just need to ping 160.69.9.13 server from my local network pc, for example 10.0.0.66

At this moment i can ping 160.69.9.13 from my router mikrotik from 10.0.0.2.
Please help me to configure RB which allows me to ping from anywhere.

There is my screenshots from configurations i did:

2

That doesn’t look right. If you have tunnel mode IPSec, you don’t need any extra static routes (to 10.0.0.2 and 160.69.9.0/24).

Also 172.29.12.124 is not exactly right either, because in /30 it’s the network address. Although it should not matter here, if you’re just going to use it with NAT. In fact, you don’t necessarily need any address from that /30 assigned to your router at all. You only really need it if you want to have something pingable from the other side. And in that case I’d rather use .125 or .126. Or .124/32. But again, it probably should not cause any problems even if you keep it as you have it now.

The working config should be:

/ip ipsec peer
add address=195.x.x.x/32 local-address=193.x.x.x <other parameters>
/ip ipsec policy
add sa-src-address=193.x.x.x sa-dst-address=195.x.x.x proposal="DAF - MDI" \
    src-address=172.29.12.124/30 dst-address=160.69.9.0/24 tunnel=yes
/ip firewall nat
add action=src-nat chain=srcnat dst-address=160.69.9.0/24 src-address=10.0.0.0/24 to-addresses=172.29.12.124

Plus maybe some filter rules to allow this traffic, but that depends on your original config. When pinging from router, make sure you use src-address=10.0.0.2 parameter.

Btw, rather than posting screenshots, it’s better to run “/export hide-sensitive” in terminal and post output of that.

3 
/export hide-sensitive   
# mar/03/2017 08:56:24 by RouterOS 6.36.2
# software id = G2QZ-5JL9
#
/interface bridge
add name="bridge1-Siec Wewnetrzna"
/interface ethernet
set [ find default-name=ether1 ] name="ether1-LAN_Hangar Helikopter"
set [ find default-name=ether2 ] name="ether2-WAN FIBERLINK"
set [ find default-name=ether3 ] disabled=yes name="ether3-LAN_ G\A3\D3WNY"
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-LAN
/interface ipip
add !keepalive local-address=10.0.0.2 name=ipip-tunnel1 remote-address=160.69.9.13
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms=aes-256-cbc,3des lifetime=8h
add auth-algorithms=sha256,md5 enc-algorithms=aes-256-cbc,3des lifetime=5h name="DAF - MDI"
add auth-algorithms=sha512,sha256,sha1 disabled=yes enc-algorithms=3des name=Grojec
add disabled=yes name=proposal1
/ip pool
add name=dhcp_pool1 ranges=10.0.0.100-10.0.0.254
add name=MDI ranges=172.29.12.124/30
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="bridge1-Siec Wewnetrzna" lease-time=30m name=dhcp1
/interface bridge port
add bridge="bridge1-Siec Wewnetrzna" interface="ether3-LAN_ G\A3\D3WNY"
add bridge="bridge1-Siec Wewnetrzna" interface=ether4-LAN
add bridge="bridge1-Siec Wewnetrzna" interface=ether5-LAN
add bridge="bridge1-Siec Wewnetrzna" interface="ether1-LAN_Hangar Helikopter"
add bridge="bridge1-Siec Wewnetrzna" interface=sfp1
/interface pptp-server server
set enabled=yes
/ip address
add address=193.106.231.2/30 comment=WAN interface="ether2-WAN FIBERLINK" network=193.106.231.0
add address=10.0.0.2/24 comment=LAN interface="bridge1-Siec Wewnetrzna" network=10.0.0.0
add address=172.16.1.1/24 comment="VPN - PPTP" disabled=yes interface="bridge1-Siec Wewnetrzna" network=172.16.1.0
add address=172.29.12.124/30 disabled=yes interface="bridge1-Siec Wewnetrzna" network=172.29.12.124
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether4-LAN
/ip dhcp-server lease
add address=1.1.1.1 mac-address=70:EE:50:1F:4E:FC server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.0.0.10,8.8.8.8
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input comment=Ataki log=yes log-prefix=Atak src-address=91.224.160.106
add action=drop chain=input src-address=91.224.161.103
add action=drop chain=input src-address=74.208.185.135
add action=drop chain=input dst-port=53 in-interface="ether2-WAN FIBERLINK" protocol=udp
add action=accept chain=input comment="VPN Connect" disabled=yes protocol=ipsec-esp src-address=62.133.157.51
add action=accept chain=input disabled=yes protocol=ipsec-esp src-address=217.8.188.54
add action=accept chain=input disabled=yes protocol=ipsec-esp src-address=93.113.101.168
add action=accept chain=input disabled=yes protocol=ipsec-esp src-address=5.185.95.122
add action=accept chain=input disabled=yes protocol=ipsec-esp src-address=178.18.65.110
add action=accept chain=input disabled=yes protocol=ipsec-esp src-address=46.232.133.123
add action=accept chain=input disabled=yes protocol=ipsec-esp src-address=83.18.74.74
add action=accept chain=input disabled=yes protocol=ipsec-esp src-address=192.162.92.62
add action=accept chain=input disabled=yes protocol=ipsec-esp src-address=94.42.174.50
add action=accept chain=input disabled=yes protocol=ipsec-esp src-address=5.185.75.58
add action=accept chain=forward connection-state=established src-address-list=""
add action=accept chain=forward connection-state=related
add action=accept chain=input disabled=yes dst-address=160.69.9.0/24 src-address=172.29.12.124/30
add action=accept chain=forward disabled=yes dst-address=172.29.12.124/30 src-address=160.69.9.0/24
add action=accept chain=forward disabled=yes dst-address=10.0.0.0/24 src-address=172.29.12.124/30
/ip firewall nat
add action=accept chain=srcnat comment="DAF HOLLAND" dst-address=160.69.9.0/24 src-address=172.29.12.124/30
add action=accept chain=srcnat dst-address=172.29.12.124/30 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=160.69.9.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=10.0.0.0/24 src-address=160.69.9.0/24
add action=accept chain=srcnat dst-address=172.29.12.124/30 src-address=160.69.9.0/24
add action=accept chain=srcnat comment="VPN connect" dst-address=192.168.1.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=192.168.3.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=192.168.4.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=192.168.5.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=192.168.8.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=192.168.9.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=192.168.44.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat dst-address=192.168.178.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="Wewn\EAtrzna sie\E6" src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="VPN - PPTP" disabled=yes src-address=172.16.1.0/24
add action=dst-nat chain=dstnat comment="AP - Hangar - http" disabled=yes dst-port=81 in-interface="ether2-WAN FIBERLINK" protocol=tcp to-addresses=10.0.0.3 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=10.0.0.29 dst-port=8888 in-interface="ether2-WAN FIBERLINK" protocol=tcp src-address=10.0.0.2 to-addresses=10.0.0.29 to-ports=5000
add action=dst-nat chain=dstnat disabled=yes dst-address=10.0.0.13 dst-port=990 in-interface="ether2-WAN FIBERLINK" protocol=tcp src-address=10.0.0.2 to-addresses=10.0.0.13 to-ports=990
add action=dst-nat chain=dstnat comment=Rejestrator1 dst-address=193.106.231.2 dst-port=83 protocol=tcp to-addresses=10.0.0.82
add action=dst-nat chain=dstnat dst-address=193.106.231.2 dst-port=8001 protocol=tcp to-addresses=10.0.0.82
add action=dst-nat chain=dstnat comment=Rejestrator2 dst-address=193.106.231.2 dst-port=84 protocol=tcp src-port="" to-addresses=10.0.0.81
add action=dst-nat chain=dstnat dst-address=193.106.231.2 dst-port=8002 protocol=tcp to-addresses=10.0.0.81
add action=dst-nat chain=dstnat comment=Rejestrator3 dst-address=193.106.231.2 dst-port=85 protocol=tcp to-addresses=10.0.0.85
add action=dst-nat chain=dstnat dst-address=193.106.231.2 dst-port=8005 protocol=tcp to-addresses=10.0.0.85
add action=dst-nat chain=dstnat comment=Rejestrator4 dst-address=193.106.231.2 dst-port=86 protocol=tcp to-addresses=10.0.0.86
add action=dst-nat chain=dstnat dst-address=193.106.231.2 dst-port=8006 protocol=tcp to-addresses=10.0.0.86
add action=dst-nat chain=dstnat disabled=yes dst-address=10.0.0.13 dst-port=8000 in-interface="ether2-WAN FIBERLINK" protocol=tcp src-address=10.0.0.2 to-addresses=10.0.0.13 to-ports=8000
add action=dst-nat chain=dstnat disabled=yes dst-address=10.0.0.13 dst-port=21 in-interface="ether2-WAN FIBERLINK" protocol=tcp src-address=10.0.0.2 to-addresses=10.0.0.13 to-ports=21
add action=dst-nat chain=dstnat disabled=yes dst-port=2321-2324 in-interface="ether2-WAN FIBERLINK" protocol=tcp to-addresses=10.0.0.95 to-ports=2321-2324
add action=dst-nat chain=dstnat disabled=yes dst-port=5500 in-interface="ether2-WAN FIBERLINK" protocol=tcp to-addresses=10.0.0.191 to-ports=5500
add action=dst-nat chain=dstnat disabled=yes dst-port=301 in-interface="ether2-WAN FIBERLINK" protocol=tcp to-addresses=10.0.0.95 to-ports=301
add action=masquerade chain=srcnat comment="DAF NAT" disabled=yes src-address=172.29.12.124/30
add action=dst-nat chain=dstnat comment="TERMINAL 11" dst-address=193.106.231.2 dst-port=3389 protocol=tcp to-addresses=10.0.0.11
add action=masquerade chain=srcnat disabled=yes out-interface="ether2-WAN FIBERLINK"
add action=netmap chain=dstnat disabled=yes dst-address=172.29.12.124/30 to-addresses=10.0.0.0/24
add action=netmap chain=srcnat disabled=yes src-address=10.0.0.0/24 to-addresses=172.29.12.124/30
add action=src-nat chain=srcnat dst-address=160.69.9.0/24 log=yes log-prefix=xxx src-address=10.0.0.0/24 to-addresses=172.29.12.124
/ip ipsec peer
add address=62.133.157.52/32 comment=Trzciana disabled=yes enc-algorithm=3des local-address=0.0.0.0 nat-traversal=no
add address=217.8.188.54/32 comment="\8Cwidnik" disabled=yes enc-algorithm=3des local-address=0.0.0.0 nat-traversal=no
add address=194.28.12.174/32 comment="\8Cwidnik" disabled=yes enc-algorithm=3des generate-policy=port-override local-address=0.0.0.0
add address=93.113.101.168/32 comment="Ustro\F1" disabled=yes enc-algorithm=3des local-address=0.0.0.0 nat-traversal=no
add address=178.18.65.110/32 comment=WTS disabled=yes enc-algorithm=3des local-address=0.0.0.0 nat-traversal=no
add address=83.18.74.74/32 comment="Kazimierz\F3wka" disabled=yes enc-algorithm=3des generate-policy=port-override local-address=0.0.0.0
add address=192.162.92.62/32 comment=Sitaniec disabled=yes enc-algorithm=3des generate-policy=port-override local-address=0.0.0.0
add address=46.232.133.123/32 comment="Pu\B3ankowice" disabled=yes enc-algorithm=3des local-address=0.0.0.0 nat-traversal=no
add address=5.185.75.58/32 comment="Gr\F3jec" disabled=yes enc-algorithm=3des generate-policy=port-override local-address=0.0.0.0
add address=195.109.63.7/32 comment=DAF enc-algorithm=aes-256,3des,des generate-policy=port-override hash-algorithm=md5 lifetime=8h nat-traversal=no
add address=195.109.63.7/32 disabled=yes enc-algorithm=3des hash-algorithm=md5 lifetime=5h local-address=0.0.0.0
add address=94.42.174.50/32 comment=Czestochowa disabled=yes enc-algorithm=3des nat-traversal=no
add address=95.50.45.2/32 comment=Trzciana disabled=yes enc-algorithm=3des local-address=0.0.0.0 nat-traversal=no
add address=5.185.95.122/32 comment="L\EAdziny" disabled=yes enc-algorithm=3des nat-traversal=no
add address=195.109.63.7/32 comment="L\EAdziny" disabled=yes enc-algorithm=3des nat-traversal=no
/ip ipsec policy
set 0 disabled=yes
add dst-address=160.69.9.0/24 level=use proposal="DAF - MDI" sa-dst-address=195.109.63.7 sa-src-address=193.106.231.2 src-address=172.29.12.124/30 tunnel=yes
add disabled=yes dst-address=192.168.2.0/24 level=use priority=1 sa-dst-address=217.8.188.54 sa-src-address=193.106.231.2 src-address=10.0.0.0/24 tunnel=yes
add disabled=yes dst-address=192.168.1.0/24 level=use priority=2 sa-dst-address=62.133.157.51 sa-src-address=193.106.231.2 src-address=10.0.0.0/24 tunnel=yes
add disabled=yes dst-address=192.168.3.0/24 level=use priority=1 sa-dst-address=93.113.101.168 sa-src-address=193.106.231.2 src-address=10.0.0.0/24 tunnel=yes
add disabled=yes dst-address=192.168.8.0/24 level=use priority=2 sa-dst-address=46.232.133.123 sa-src-address=193.106.231.2 src-address=10.0.0.0/24 tunnel=yes
add disabled=yes dst-address=192.168.5.0/24 level=use priority=2 sa-dst-address=178.18.65.110 sa-src-address=193.106.231.2 src-address=10.0.0.0/24 tunnel=yes
add disabled=yes dst-address=192.168.44.0/24 level=use priority=1 sa-dst-address=94.42.174.50 sa-src-address=193.106.231.2 src-address=10.0.0.0/24 tunnel=yes
add disabled=yes dst-address=192.168.1.0/24 level=use priority=2 sa-dst-address=95.50.45.2 sa-src-address=193.106.231.2 src-address=10.0.0.0/24 tunnel=yes
add disabled=yes dst-address=192.168.4.0/24 level=use priority=1 sa-dst-address=5.185.95.122 sa-src-address=193.106.231.2 src-address=10.0.0.0/24 tunnel=yes
add disabled=yes dst-address=160.69.9.0/24 sa-dst-address=195.109.63.7 sa-src-address=193.106.231.2 src-address=10.0.0.0/24 tunnel=yes
/ip route
add distance=1 gateway=193.106.231.1
add distance=1 dst-address=10.0.0.2/32 gateway="ether2-WAN FIBERLINK"
add disabled=yes distance=1 dst-address=160.69.9.0/24 gateway=172.29.12.125
/ip service
set telnet disabled=yes port=3023
set ftp disabled=yes port=3021
set ssh disabled=yes port=3022
set api disabled=yes
set winbox address=10.0.0.0/24,78.133.192.30/32,217.8.188.54/32
set api-ssl disabled=yes
/ppp secret
add local-address=172.16.1.1 name=test1 profile=default-encryption remote-address=172.16.1.2 service=pptp
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=WANICKI
/system logging
add disabled=yes topics=ipsec
/system routerboard settings
set protected-routerboot=disabled
/tool graphing interface
add
/tool graphing resource
add

Ok tried that option but still not pinging… :confused:

4

Order of rules is important. You have this (i.e. rule telling to skip srcnat):

/ip firewall nat
add action=accept chain=srcnat dst-address=160.69.9.0/24 src-address=10.0.0.0/24

Before the one that should do srcnat for you:

/ip firewall nat
add action=src-nat chain=srcnat dst-address=160.69.9.0/24 log=yes log-prefix=xxx src-address=10.0.0.0/24 to-addresses=172.29.12.124

Guess what happens - it won’t get to the latter at all.

5

Jesus Crist it working well now thank You very very very much ! ! :smiley: