Hi, guys!

I have a question that I have been pondering on for a few days now with very limited success on my company's RB2011L w/ ROS v6.25.

I have a service provider which requires that we set up an IPSec tunnel to their VPN gateway in order to access the service they're offering. But since my local subnet of 192.168.0.0/24 is overlapping with some other network on their side, they ask me to set up the tunnel as if it is coming from, say, 10.10.10.0/24. I have over 50 users on the LAN side, several servers, plus another IPSec tunnel so changing LAN addresses is out of question.

I have set up the IPSec policies, peers, proposals. From the router's Tools/Ping I get the response server provider's endpoint if I set the source address to 10.10.10.1, the SAs are populating. But I totally can't get ping to work from any PC on the LAN. I am sure that the problem is in telling the router to change the destination IP address (192.168.0.0/24 -> 10.10.10.0/24) for packets travelling from LAN to the server provider and back. I have treid to set up the 10.10.10.0/24 subnet as the second IP address for the bridge-local interface. Then set up NAT with netmap or srcnat/dstnat actions for this traffic. Nothing gets me past the router's ping ability (as above).

Can someone point me to the right direction? I wouldn't believe this can't be done! Or am I just dreaming?

Pete

Can u ping addresses of leftnet from Mikrotik? (Tools -> Ping)

Considering 2.2.2.2 is the provider's server where the service is located:

1) this works (from the router): 2) this doesn't work: If I go to a PC connected to my router via the 192.168.0.0/24 subnet, pinging 2.2.2.2 doesn't work.

I sure am missing something here

Hello
did you try to do a nat rule:

add action=src-nat chain=srcnat dst-address=2.2.2.2 src-address=192.168.0.0/24 to-addresses=10.10.10.1