VPN nat problem

RouterOS General
1

Hello, I have create an VPN Tunnel L2TP with IPSec between RB2011iL(L2TP Server) and hEX PoE lite( L2TP Client). My problem is at the client side (hEX PoE lite) I have NAT, but I don't want it. At the Server side(RB2011iL) I don't have NAT. Server side have the 192.168.1.0/24 network and the client side the 192.168.3.0/24 network. Here is my configuration.

 RB2011iL RouterOS 6.36
/ppp secret
add local-address=192.168.1.254 name=l2tp password=xxxxxxx profile=\
    default-encryption remote-address=192.168.1.6 service=l2tp

/ip ipsec peer
add address=192.168.1.6/24 dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des nat-traversal=\
no secret=******

/ip ipsec policy
add dst-address=192.168.3.0/24 sa-dst-address=192.168.1.6 sa-src-address=192.168.1.254 src-address=\
192.168.1.0/24 tunnel=yes

/ip route
add distance=1 dst-address=192.168.3.0/24 gateway=192.168.1.6

/ip firewall nat add chain=srcnat action=accept  place-before=0 dst-address=192.168.1.0/24 src-address=192.168.3.0/24

------------------------------------------------------------------------------
hEX PoE lite RouterOS 6.36
/interface l2tp-client
add connect-to=XXX.XXX.XXX.XXX disabled=no name=l2tp-out1 password=****** user=l2tp

/ip ipsec peer
add address=192.168.1.254 dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des \
nat-traversal=no secret=******

/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=192.168.1.254 sa-src-address=192.168.1.6 src-address=\
192.168.3.0/24 tunnel=yes

/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.1.254

/ip firewall nat add chain=srcnat action=accept  place-before=0 dst-address=192.168.3.0/24 src-address=192.168.1.0/24

My problem is that I don't want the NAT from the client side.

EDIT
Forget to mention that both Server and Client sides is behind the ISP Router. (Server side with Static IP and Client side with dynamic).

Sorry for my english.
Thanks for your attention and time.

2

I have also have the the following rules at the firewall on both sides:

/ip firewall filter
add action=accept chain=input comment="l2tp port 500" dst-port=500 \
    log-prefix="" protocol=udp
add action=accept chain=input comment="l2tp port 4500 nat traversal" \
    dst-port=4500 log-prefix="" protocol=udp
add action=accept chain=input comment="l2tp port 4500 nat traversal" \
    dst-port=1701 log-prefix="" protocol=udp
add action=accept chain=forward log-prefix="" protocol=ipsec-esp
3

Here is an image from my client L2TP :

Instead of Src. Address: 192.168.1.254, I would like to have the 192.168.1.24, which is the the Src. Address before the NAT. That is my problem.

Thanks.

4

You need to make your NAT rules a little more specific in the client router.

If the VPN creates a tunnel interface when it connects (I believe L2TP does this) then it’s pretty easy.
Make sure the srcnat chain rule with action=masquerade is configured as follows:

chain=srcnat action=masquerade out-interface=ether1-gateway
(or whatever the router’s WAN IP interface might be)

Packets which go through the VPN tunnel will not match the above rule, so they will not get translated.

However, looking through your post I do see this:

Switch the src-address and dst-address and that should fix the problem.

5

Thanks for your answer ZeroByte, but I have add this rules on the firewall(both for the server and client side) and now it works:

[citystore@Flevaris] /ip firewall raw> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=prerouting action=notrack src-address=192.168.1.0/24 dst-address=192.168.3.0/24 

 1    chain=prerouting action=notrack src-address=192.168.3.0/24 dst-address=192.168.1.0/24
6

If you have route to bad gateway, route will be disabled
/ip route add distance=1 dst-address=192.168.3.0/24 gateway=192.168.1.6
and traffic will be go to default gw (for 0.0.0.0/0).

you can add restrict rule for this traffic
/ip route add distance=250 dst-address=192.168.3.0/24 type=blackhole
or type=prohibit, type=unreachable

In other case (notrack or nat exclusion) this traffic will be go to the public internet with src.address 192.168.x.x. It’s bad way.