Community discussions

MikroTik App
 
rbuserdl
Member Candidate
Member Candidate
Topic Author
Posts: 270
Joined: Thu Mar 22, 2018 1:53 pm

IPsec behind NAT

Fri Nov 11, 2022 3:12 pm

Hello team!!!

I need to create an IPsec VPN between my Mikrotik and another router/firewall which I can not manage (I only can manage the Mikrotik side)
My LAN is 192.168.3.0/24, but this segment is in use in the remote network, so they asked me to change my lan or do a kind of nat.
I know how to create the VPN and how to nat, but I never mixed both features together.
I tried to add a srcnat to change my IP but with this rule enabled the ping never reach the another side.
Any suggestion to accomplish this by doing something in my side?

Thanks in advance.
Regards,
Damián
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec behind NAT

Fri Nov 11, 2022 7:34 pm

Is it a bare IPsec with a policy? If so, bear in mind that the src-nat (in your case, the netmap action in srcnat chain) comes first, and then comes the policy matching. So a packet from 192.168.3.x must get src-nated to, say, 10.168.3.x, and the policy's src-address must be 10.168.3.x at your side. If the connections should be established in both directions, you also need a netmap rule in dstnat chain.
 
rbuserdl
Member Candidate
Member Candidate
Topic Author
Posts: 270
Joined: Thu Mar 22, 2018 1:53 pm

Re: IPsec behind NAT

Wed Nov 16, 2022 2:31 pm

Is it a bare IPsec with a policy? If so, bear in mind that the src-nat (in your case, the netmap action in srcnat chain) comes first, and then comes the policy matching. So a packet from 192.168.3.x must get src-nated to, say, 10.168.3.x, and the policy's src-address must be 10.168.3.x at your side. If the connections should be established in both directions, you also need a netmap rule in dstnat chain.
Hello Sindy, I missed you!!!
Thanks a lot for your response!
Not sure what you mean with "bare", this is just IPsec, not L2TP/IPsec or any other VPN with IPsec if you mean this
The netmap rule is something like this?
/ip firewall nat add action=netmap chain=srcnat comment="CGNAT rule" out-interface-list=WAN ipsec-policy=out
Then the src-nat action in another rule, and the netmap with dst-nat chain in another rule, right?

Thanks!
Regards!
Damián
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPsec behind NAT  [SOLVED]

Wed Nov 16, 2022 2:47 pm

/ip firewall nat
add chain=srcnat src-address=<your real LAN subnet> dst-address=<remote subnet> action=netmap to-addresses=<your fake LAN subnet> comment="for outgoing connections"
add chain=dstnat src-address=<remote subnet> dst-address=<your fake LAN subnet> action=netmap to-addresses=<your real LAN subnet> comment="for incoming connections"
IPSec policy should be for <your fake LAN subnet> <-> <remote subnet>. And real and fake subnets should have same size.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec behind NAT

Wed Nov 16, 2022 3:09 pm

Not sure what you mean with "bare", this is just IPsec, not L2TP/IPsec or any other VPN with IPsec if you mean this
Yes, that's what I had in mind. Maybe I should have called it "standalone IPsec".

The netmap rule is something like this?
No need to repeat @Sob's correct answer :)

Then the src-nat action in another rule, and the netmap with dst-nat chain in another rule, right?
Yes, the netmap rules in srcnat and dstnat will handle solely the actual subnet to alias subnet translation; a separate src-nat/masquerade rule is necessary for the traffic from LAN to internet. But since the source subnet will likely be the same for both, it is important that the netmap rule in srcnat chain that matches on dst-adress=remo.te.sub.net/mask is placed before (above) the src-nat/masquerade one. Or you could add a route to remo.te.sub.net/mask and set its gateway to some port-less bridge created for the purpose, and then let the netmap rule match on out-interface=name-of-that-bridge. This might make sense if you want to prevent traffic that should go through the tunnel from leaking via WAN if the tunnel is down and the IPsec policy is created dynamically (a static policy intercepts the traffic even if the tunnel is down).
 
rbuserdl
Member Candidate
Member Candidate
Topic Author
Posts: 270
Joined: Thu Mar 22, 2018 1:53 pm

Re: IPsec behind NAT

Thu Nov 17, 2022 2:41 pm

Thanks a lot to both!!!
I just see that the rule I wrote before has no sense because this does not have any address
What you both said makes sense to me, I will try soon

Regards,
Damián

Who is online

Users browsing this forum: adimihaix, Bing [Bot], rplant and 74 guests