Why do I need a src-nat accept rule in order to get IPSec functional.
System setup explanation:
I have 2 locations, each with static IP over PPPoE initiated from an RB951. One is L2TP server, the other is L2TP client.
I connect from A to the public IP of B, this works fine.
On each RB a dedicated IP segment for local network (192.168.1.0/24 and 192.168.2.0/24)
Created IPSec settings as found on various posts.
On system A
Code: Select all
/ip ipsec peer
add address=<WAN of B> enc-algorithm=3des secret=<secret>
/ip ipsec policy
add dst-address=<lan of B> sa-dst-address=<WAN of B> src-address=<lan of A> sa-src-address=<WAN of A> tunnel=yes
Code: Select all
/ip ipsec peer
add address=<WAN of A> enc-algorithm=3des secret=<secret>
/ip ipsec policy
add dst-address=<lan of A> sa-dst-address=<WAN of A> src-address=<lan of B> sa-src-address=<WAN of B> tunnel=yes
Code: Select all
/ip route
add dst-address=<other lan> gateway=<lt2p-interface>
Code: Select all
/ip firewall nat
add chain=srcnat action=masquerade src-address=<local LAN> out-interface=PPPoE-out
/ip firewall nat
add chain=srcnat action=accept src-address=<local lan A> dst-address=<local lan B>
As far as I know the masquerading rule "should" not catch the outgoing traffic towards the other side of the tunnel, because it is not exiting the router over the PPPoE session.
Where is my thought going wrong?