Hello All,
I have an issue with implementation of source nat over IPSEC tunnel.
These addresses are used for IPSEC VPN between my site and remote:
52.0.14.116/32 Remote public address
62.216.146.250 My public address
This address is for LAN bridge interface of the Mikrotik:
10.10.10.1/24
This is my server address:
10.10.20.20
This is the remote server:
192.168.1.21/32
This is the address with which I should nat my server 10.10.20.20:
115.249.109.170
My server 10.10.20.20 is routed to the Mikrotik LAN network 10.10.10.0/24 from another internal router in my network.
set routing-options static route 192.168.1.21/32 next-hop 10.10.10.254. (This router has L3 interface with address 10.10.10.254)
My server is VM in vMware Esxi host, the esxi host is connected to switch on the switch is defined the layer 3 interface for gw of the network 10.10.20.0/24 (10.10.20.254).
Between switch and another router, I have OSPF.
The IP for OSPF on the router is for 10.10.100.1 and on the switch is 10.10.100.2.
This router and Mikrotik see each other directly as directly connected.
You can skip this detail but for more information I will provide it:
The Mikrotik Router is also VM machine under vMware Esxi host.
The Mikrotik Router receive his WAN and LAN over VLAN from the Juniper router with IP 10.10.10.254.
The Juniper router is core router with zone-based firewall.
The Mikrotik router is putted in Zone A.
My server 10.10.20.20 is on the Zone B.
Between zones A and B the traffic is accepted from 10.10.20.20 to 10.10.10.0/24.
Also I have Zone for WAN communications.
The zone is untrust to untrust.
And there I accepted the traffic between the WAN IP address of the Mikrotik and the remote site for IPSEC VPN.
In the end:
The goal is to forward the traffic from my server 10.10.20.20 to remote server 192.168.1.21 through VPN IPSEC with the source nat of my server 10.10.20.20 with IP address 115.249.109.170.
For now, the situation is that the IPSEC VPN is established between the remote site 52.0.14.116/32 and my site 62.216.146.250..
When I initiate traffic from my server 10.10.20.20 to the remote server behind the VPN IPSEC I see only how my packets reach to Mikrotik router on its local interface 10.10.10.1 and then I see time out.
I see also in the logs for source nat this:
srcnat: in:LAN out:WAN, connection-state:new src-mac 00:10:db:ff:10:00, proto TCP (SYN), 10.10.20.20:65355->192.168.1.21:1313, len 52
And here I suspect my server is not src nat-ed with 115.249.109.170 through IPSEC VPN.
The remote site expects me to address 115.249.109.170.
This is my configuration:
# nov/10/2022 13:44:24 by RouterOS 7.4.1
# software id =
#
/interface bridge
add name=Remotesite
add name=LAN
add name=WAN
/interface ethernet
set [ find default-name=ether2 ] disable-running-check=no name=ether1
set [ find default-name=ether1 ] disable-running-check=no name=ether2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
name=IPSEC prf-algorithm=sha256
/ip ipsec peer
add address=52.0.14.116/32 comment="To remote Site" exchange-mode=ike2 \
local-address=62.216.146.250 name=To remote site profile=IPSEC
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=23h name=\
Default pfs-group=ecp521
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=WAN interface=ether1
add bridge=LAN interface=ether2
/ipv6 settings
set disable-ipv6=yes
/ip address
add address=62.216.146.250/29 interface=WAN network=62.216.146.0
add address=10.10.10.1/24 interface=LAN network=10.10.10.0
add address=115.249.109.170 interface=SourceNATLoo network=115.249.109.170
/ip dhcp-client
add interface=*1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input dst-address=62.216.146.250 src-address=\
52.0.14.116
/ip firewall nat
add action=src-nat chain=srcnat comment="Source NAT to Remote Site" log=yes \
src-address=10.10.20.20 to-addresses=115.249.109.170
/ip ipsec identity
add auth-method=digital-signature certificate=\
letsencrypt-autogen_2022-11-10T13:03:00Z comment="Identity for Remote site" \
peer=To remote Site remote-id=fqdn:MYVPN.example-example.example.us
/ip ipsec policy
add comment="For traffic between me and remote site through VPN Tunnel " dst-address=192.168.1.21/32 \
level=use peer=To remote Site proposal=Default src-address=115.249.109.170/32 \
tunnel=yes
/ip route
add comment="Route all networks trough WAN address 62.216.146.240 of our current \
Mikrotik" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
62.216.146.240 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10
add comment="Route to my server trough GW 10.10.10254 (SRX L3 address v\
lan 624)" disabled=no distance=1 dst-address=10.10.20.20/32 gateway=\
10.10.10.254 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=letsencrypt-autogen_2022-11-10T13:03:00Z
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Sofia
Could you share your opinion regarding the topic?
Any guidance for troubleshooting?
Thank you in advance.