Community discussions

 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

Question about Nat rules using IPSEC

Thu Apr 23, 2015 6:56 pm

When IPSEC is used in tunnel mode , a nat rule is needed to avoid source address change (by default masquerade nat rule if I have correctly understood..)
I noted it is no more needed when IPSEC is used as transport for other tunnel protocols ( I have GRE over IPSEC working without any nat rule)
Is this correct ?
 
User avatar
rmmccann
Member Candidate
Member Candidate
Posts: 182
Joined: Tue Sep 25, 2012 11:15 pm
Location: USA

Re: Question about Nat rules using IPSEC

Thu Apr 23, 2015 7:08 pm

You are correct. When using IPSec transport mode, there is no address translation happening.

The reason for the NAT rule with IPSec Tunnel mode has to do with how RouterOS routes packets through its internal system. If you look at one of their packet flow diagrams in the wiki, you'll see why.
A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. --Douglas Adams
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Question about Nat rules using IPSEC

Thu Apr 23, 2015 7:27 pm

If you use GRE, then a packet going on the VPN isn't technically leaving via the WAN interface, it's leaving via the tunnel interface. The tunnel interface has its own rules for forwarding, NAT, etc. When not using a tunnel under the IPSec, the traffic leaves via the wan interface, so it must not be NAT translated in order for the IPSec policy to see the packet as a VPN packet, encrypt it, and send the encrpyted packet to the peer.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
TomosRider
Member Candidate
Member Candidate
Posts: 202
Joined: Thu Nov 20, 2014 1:51 pm

Re: Question about Nat rules using IPSEC

Thu Apr 23, 2015 7:38 pm

Using GRE, you are sending packets over VPN, your network dont need any kind of translation. For IPSEC its important to see true IP's so it can encrypt it and establish tunnel between peers. IP address destined for IPSEC tunnel matched with ACL, for example.

Who is online

Users browsing this forum: No registered users and 98 guests