Hi!
Help me please with create IPSec throuht alien NAT-router
Sheme:
MY OFFICE:
My RB1 ether1 LAN 192.168.0.1/24
My RB1 ether2 WAN 8.8.0.1/32
REMOTE OFFICE:
My RB2 ether1 1LAN 192.168.1.1/24
Alien RB3 ether1 LAN 192.168.1.2/24
Alien RB3 ether2 WAN 8.8.1.1/32
Alien RB3 give me NAT in remote office
How i can create VPN tonnel throuth NAT?
My RB1:
/ip address
add address=192.168.0.1/24 interface=ether1
add address=8.8.0.1/30 interface=ether2
/ip route
add gateway=8.8.0.2
/ip firewall nat
add chain=srcnat out-interface=ether2 action=masquerade
My RB2:
/ip address
add address=192.168.1.1/24 interface=ether1
/ip route
add gateway=192.168.1.2
Alien RB3:
/ip address
add address=192.168.1.2/24 interface=ether1
add address=8.8.1.1/30 interface=ether2
/ip route
add gateway=8.8.1.2
/ip firewall nat
add chain=srcnat out-interface=ether2 action=masquerade
IpSec Peer's config
My RB1:
/ip ipsec peer
add address=8.8.1.1(???)/32 port=500 auth-method=pre-shared-key secret="test"
My RB2:
/ip ipsec peer
add address=8.8.0.1/32 port=500 auth-method=pre-shared-key secret="test"
Policy and proposal
My RB1:
/ip ipsec policy
add src-address=192.168.0.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any \
sa-src-address=8.8.0.1 sa-dst-address=8.8.1.1(???) \
tunnel=yes action=encrypt proposal=default
My RB2:
/ip ipsec policy
add src-address=192.168.1.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any \
sa-src-address=8.8.1.1(???) sa-dst-address=8.8.0.1 \
tunnel=yes action=encrypt proposal=default
NAT Bypass
My RB1:
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.0.0/24 dst-address=192.168.0.0/24
Alien RB3(???):
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=192.168.1.0/24 dst-address=192.168.0.0/24
Please, correct my, i dont understand all sheme NAT-T
Re: IPSec NAT-N
The following may work:
RB1:
/ip ipsec peer
add address=8.8.1.1/32 secret="test" nat-traversal=yes send-initial-contact=no
/ip ipsec policy
add sa-dst-address=8.8.1.1 sa-src-address=8.8.0.1 src-address=192.168.0.0/24 dst-address=192.168.1.0/24 tunnel=yes
/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=192.168.0.0/24 dst-address=192.168.1.0/24 comment="bypass ipsec"
RB2:
/ip ipsec peer
add address=8.8.0.1/32 secret="test" nat-traversal=yes
/ip ipsec policy
add sa-dst-address=8.8.0.1 sa-src-address=192.168.1.1 src-address=192.168.1.0/24 dst-address=192.168.0.0/24 tunnel=yes
RB1:
/ip ipsec peer
add address=8.8.1.1/32 secret="test" nat-traversal=yes send-initial-contact=no
/ip ipsec policy
add sa-dst-address=8.8.1.1 sa-src-address=8.8.0.1 src-address=192.168.0.0/24 dst-address=192.168.1.0/24 tunnel=yes
/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=192.168.0.0/24 dst-address=192.168.1.0/24 comment="bypass ipsec"
RB2:
/ip ipsec peer
add address=8.8.0.1/32 secret="test" nat-traversal=yes
/ip ipsec policy
add sa-dst-address=8.8.0.1 sa-src-address=192.168.1.1 src-address=192.168.1.0/24 dst-address=192.168.0.0/24 tunnel=yes
Re: IPSec NAT-N
Tnx! I try it.The following may work:
RB1:
/ip ipsec peer
add address=8.8.1.1/32 secret="test" nat-traversal=yes send-initial-contact=no
/ip ipsec policy
add sa-dst-address=8.8.1.1 sa-src-address=8.8.0.1 src-address=192.168.0.0/24 dst-address=192.168.1.0/24 tunnel=yes
/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=192.168.0.0/24 dst-address=192.168.1.0/24 comment="bypass ipsec"
RB2:
/ip ipsec peer
add address=8.8.0.1/32 secret="test" nat-traversal=yes
/ip ipsec policy
add sa-dst-address=8.8.0.1 sa-src-address=192.168.1.1 src-address=192.168.1.0/24 dst-address=192.168.0.0/24 tunnel=yes
Who is online
Users browsing this forum: No registered users and 127 guests