Community discussions

MikroTik App
 
brwnb
just joined
Topic Author
Posts: 1
Joined: Thu Apr 29, 2021 3:02 pm

VPN IPsec with BINAT configuration

Thu Apr 29, 2021 6:21 pm

Hello, you all.

Today I have a pfsense with ipsec vpn site-to-site. In that configuration has a field called NAT/BINAT translation.
I don't have any ideal how I do it works in mikrotik.

My environment has pfsense with some vlans, OpenVPN for desktop clients, ipsec site-to-site, nat and firewall.
I am going to change pfsense to mikrotik.
So, i know to configure ipsec in mikrotik, but I don't know this especific ipsec.

The tunel's IPs are some like: remote site 192.168.0.0/24, my site 10.25.25.2.
My local network is 10.10.0.0/24

How i get the 10.25.25.2 to my local network?

Follows the configuration image in fase two of the pfsense
https://drive.google.com/file/d/1r9oAvt ... sp=sharing
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN IPsec with BINAT configuration

Fri Apr 30, 2021 9:59 pm

The term BINAT seems to be pfSense specific; in fact, it addresses a situation where you interconnect two sites and same subnets are used at both of them, and you need devices at site A to communicate with devices in a site B subnet shadowed by a local one at site A. This issue needs to be addressed no matter what kind of VPN protocol you use, i.e. it is nothing specific for IPsec, so I don't understand much why pfSense bundles this setting with the Phase 2 one of IPsec.

In RouterOS, action=netmap rules are used for this purpose. According to your example, the actual subnet 10.10.0.0/24 at Mikrotik site has to be reachable/visible as 10.25.25.0/24 from the remote site.

So you need the following two rules at proper places in their respective chains of /ip firewall nat:
chain=srcnat src-address=10.10.0.0/24 dst-address=192.168.0.0/24 action=netmap to-addresses=10.25.25.0/24
chain=dstnat src-address=192.168.0.0/24 dst-address=10.25.25.0/24 action=netmap to-addresses=10.10.0.0/24


The traffic selector of the IPsec policy must match the "external" addresses:
src-address=10.25.25.0/24 dst-address=192.168.0.0/24 tunnel=yes ...

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 88 guests