Community discussions

MikroTik App
 
Jeroen1000
Member Candidate
Member Candidate
Topic Author
Posts: 202
Joined: Fri Feb 18, 2011 2:05 pm

IPsec transport mode without GRE/IPIP tunnels

Thu Feb 20, 2020 3:58 pm

Hi all,

Gotten pretty far by myself but I have something I am having trouble with. Apologies for stating the obvious in my explanations but a clear story is easier to read:)
.......................................IPsec-traffic .......................................... LAN-traffic
Road warrior (2.2.2.2/32) >>>>>>>>> Mikrotik CPE (3.3.3.3/32) ------------> 192.168.100.0/24 (LAN behind CPE)
So a road warrior connects to the CPE and wants both internet (through the CPE) and access to the LAN SN behind the CPE. NAT is at play here obviously. If I use a tunnel, I need the CPE to hand out dummy IP to the road warrior. I gave 192.168.1.1/32.
The SA is then between 2.2.2.2/32 and 3.3.3.3/32. The IPsec policy though, can (there are more options) match 0.0.0.0/0 =>>>192.168.1.1 as interesting traffic. As this is how things are with IPsec tunnel mode
So I assume encryption of the traffic destined for the road warrior (so traffic destined for 192.168.1.1/32) happens before 192.168.1.1/32 traffic is source natted to 3.3.3.3/32. Is my assumption correct?

Now I want this converted to transport mode. Is this possible? In theory the only thing that changes is that the policy will now match 0.0.0.0.0/0 ==> 2.2.2.2/32 and that's it. But it does not seem to agree with my theory.

Who is online

Users browsing this forum: CGGXANNX, Google [Bot], holvoetn, phascogale and 37 guests