Community discussions

MikroTik App
 
danergo
Member Candidate
Member Candidate
Topic Author
Posts: 131
Joined: Tue Dec 24, 2019 8:49 pm

IPSec IKE VPN: response packets are managed automatically?

Fri Mar 17, 2023 8:15 am

I was thinking on a rather simple question:

After buliding up an IKE VPN (from Android to Mikrotik v6.49.7), it seems my Android phone can browse the internet just like if it was joined to this Mikrotik locally.
IPSec's policy defines a range for dst-address and it's mode config sets an address pool. This way, android gets an address from the pool, and everything is working correctly.

What I don't understand is how response packets find back to my android: I didn't have to add any mangles or firewall or nat rules to make this work.

Are IPSec peers' addresses considered the same as other "physically" connected clients' when Mikrotik searches for the response's dst? Is it that simple?

Thank you!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPSec IKE VPN: response packets are managed automatically?  [SOLVED]

Fri Mar 17, 2023 9:01 am

NAT is a L3 (IP) function and when firewall does it, it doesn't matter how a particular local IP is connected to router regarding L2. So if a packet arrives via IPSec to router and that packet has to leave router via interface that has SRC-NAT active, then connection tracking machinery makes note of the fact and when (return) packet arrives at that same interface, SRC-NAT un-does the NAT. The resulting packet is then pushed into routing machinery which determines that packet should leave through IPSec tunnel. This part is the same as if packet arrived to router via a LAN interface ...

Who is online

Users browsing this forum: Amazon [Bot], chrisk, muona, uxertxo, ywlhlp and 95 guests