Gotten pretty far by myself but I have something I am having trouble with. Apologies for stating the obvious in my explanations but a clear story is easier to read:)
Code: Select all
.......................................IPsec-traffic .......................................... LAN-traffic
Road warrior (2.2.2.2/32) >>>>>>>>> Mikrotik CPE (3.3.3.3/32) ------------> 192.168.100.0/24 (LAN behind CPE)
The SA is then between 2.2.2.2/32 and 3.3.3.3/32. The IPsec policy though, can (there are more options) match 0.0.0.0/0 =>>>192.168.1.1 as interesting traffic. As this is how things are with IPsec tunnel mode
So I assume encryption of the traffic destined for the road warrior (so traffic destined for 192.168.1.1/32) happens before 192.168.1.1/32 traffic is source natted to 3.3.3.3/32. Is my assumption correct?
Now I want this converted to transport mode. Is this possible? In theory the only thing that changes is that the policy will now match 0.0.0.0.0/0 ==> 2.2.2.2/32 and that's it. But it does not seem to agree with my theory.