SRC-NAT rule for IPSec to work

Rudios · Thu Mar 05, 2015 2:08 pm

I don't understand.

Why do I need a src-nat accept rule in order to get IPSec functional.

System setup explanation:

I have 2 locations, each with static IP over PPPoE initiated from an RB951. One is L2TP server, the other is L2TP client.
I connect from A to the public IP of B, this works fine.

On each RB a dedicated IP segment for local network (192.168.1.0/24 and 192.168.2.0/24)

Created IPSec settings as found on various posts.
On system A

/ip ipsec peer
add address=<WAN of B> enc-algorithm=3des secret=<secret>
/ip ipsec policy
add dst-address=<lan of B> sa-dst-address=<WAN of B> src-address=<lan of A> sa-src-address=<WAN of A> tunnel=yes

On system B

/ip ipsec peer
add address=<WAN of A> enc-algorithm=3des secret=<secret>
/ip ipsec policy
add dst-address=<lan of A> sa-dst-address=<WAN of A> src-address=<lan of B> sa-src-address=<WAN of B> tunnel=yes

For both systems I have made routes

/ip route
add dst-address=<other lan> gateway=<lt2p-interface>

On the firewall NAT I have the following (on both systems)

/ip firewall nat
add chain=srcnat action=masquerade src-address=<local LAN> out-interface=PPPoE-out

Why do I need an additional rule like this? (seen of system A)
/ip firewall nat
add chain=srcnat action=accept src-address=<local lan A> dst-address=<local lan B>

As far as I know the masquerading rule "should" not catch the outgoing traffic towards the other side of the tunnel, because it is not exiting the router over the PPPoE session.
Where is my thought going wrong?

rmmccann · Thu Mar 05, 2015 4:55 pm

Why do I need an additional rule like this? (seen of system A)
/ip firewall nat
add chain=srcnat action=accept src-address=<local lan A> dst-address=<local lan B>

As far as I know the masquerading rule "should" not catch the outgoing traffic towards the other side of the tunnel, because it is not exiting the router over the PPPoE session.
Where is my thought going wrong?

See: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec - look for NAT Bypass and it explains why.

Rudios · Sat Mar 07, 2015 11:11 pm

Why do I need an additional rule like this? (seen of system A)
/ip firewall nat
add chain=srcnat action=accept src-address=<local lan A> dst-address=<local lan B>

As far as I know the masquerading rule "should" not catch the outgoing traffic towards the other side of the tunnel, because it is not exiting the router over the PPPoE session.
Where is my thought going wrong?
See: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec - look for NAT Bypass and it explains why.

Thanks for the link.
I must be stupid but still don't understand why the packet will be affected by srcnat.
If my public IP resides I the router, won't it just use that address as source?

rmmccann · Mon Mar 09, 2015 2:52 pm

Thanks for the link.
I must be stupid but still don't understand why the packet will be affected by srcnat.
If my public IP resides I the router, won't it just use that address as source?

It has more to do with complete processing of the packets than just what source IP to use. Take a look at the packet flow diagrams for routerOS: http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

The packets hit the pre-routing and post-routing chains (which includes NAT) before they hit IPSec. It's just an order-of-operations thing.

SRC-NAT rule for IPSec to work

SRC-NAT rule for IPSec to work

Re: SRC-NAT rule for IPSec to work

Re: SRC-NAT rule for IPSec to work

Re: SRC-NAT rule for IPSec to work

Who is online