I have an IPSec tunnel with a firewall in main site (HQ) and a mikrotik in a branch site with no problem when I make a lan 2 lan policy which involve the sites local network.
When I change the IPSec policy in order to send ALL traffic (remote internet navigation) from the branch lan to the HQ main firewall in order to be inspected by main firewall, I see the branch PC traffic on the main firewall (seems no-nat rules are ok) but the branch router itself start to be unreachable from the local branch lan and send it's own LOCAL traffic through tunnel.
This is the network schema:
This is my ipsec policy brief of branch office:
Code: Select all
peer=<peer_name> tunnel=yes src-address=192.168.227.0/24 src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=<Public_Branch_IP> sa-dst-address=<Public_HQ_IP> proposal=<proposal_name> ph2-count=1