Hello everyone.

I am more and less successfully coping with site-to-site ipsec tunnel where both routers have non-routable address on the WAN side, but have a public IP NATed to them.

I have started with basic setup from Greg's website http://gregsowell.com/, which (as expected) did not work rigth of. Then I started experimenting with different settings (based on what I have seen in the logs). I can't really say I knew exactly what I was doing, but I sort of had an idea why

Now I am in a situation, where I have tunnel established... better to say, I have 2 tunnels established. But it does not work, as I suppose that traffic (ping) is going one way through tunnel 1 and wants to return via tunnel 2, where it gets discarded. I really would prefer to have just one tunnel (if possible) and I am suspecting that some IP mangling needs to be done on the traffic (not ipsec interesting traffic, but the one leaving the router) to the other router.

Well, here is the setup: Just to make sure, the mapped public IPs are addresses that I can use to access the routers from internet and of course these are not the real ones.

Setup Mikrotik 1
Policy:
Src Address: 10.201.1.0/24
Dst Address: 10.201.2.0/24
SA Src Address: 192.168.4.96
SA Dst Address: 2.2.2.2

Peer:
Address: 2.2.2.2
Generate policy: no
Here I tried both of other settings: Port override, and Port strict. None of that helped.
Nat traversal: no

Setup Mikrotik 2
Policy:
Src Address: 10.201.2.0/24
Dst Address: 10.201.1.0/24
SA Src Address: 10.56.166.24
SA Dst Address: 1.1.1.1

Peer:
Address: 1.1.1.1
Generate policy: no
Here I tried both of other settings: Port override, and Port strict. None of that helped.
Nat traversal: no

All other settings are identical on both routers.
Perhaps I should mention that Firewall on both includes in srcnat Chain the definition:
Src address 10.201.1.0/24 (or 10.201.2.0/24)
Dst address 10.201.0.0/16
Action accept

Final note - yes, when pinging mikrotics I use source ip to be from LAN range. I also tried a client from LAN2 to ping mikrotik 1, but also no luck.

So this is where I stand and can't move on. I was thinking of mangling outgoing traffic to replace non-routable WAN ip with the public ip (I suppose only limiting to traffic destinned to 1.1.1.1, resp. 2.2.2.2). But I am not sure if it is the right way, neither how to do it.

Any your help is appreciated.

Cheers,
Brandon.

Well,
no response means (1) impossible to solve; (2) I've asked something dumb...
Anyway, I think I solved it myself. In fact, the above setup is a correct one. I found out by accident, thanks to playing with packet mangling. I tried packet mangling, but that yielded no results.

So I returned to previous config above. Then I tried pings - no luck. But in the "IPSEC window" I went to "Remote peers" tab and I Killed all connections on both mikrotiks.

Then I went to ping from LAN 2 into LAN 1 - timeout. But when trying the other way, suddenly it worked. What's even better, after the LAN1->LAN2 ping started working, also the L2->L1 started to work. Miracle? Maybe, but works.

So to make this a worthwhile thread, I decided to make a small how-to. Whoever is in charge, feel free to add this to wiki pages if you find it useful.

Step 0 - the network situation. Step 1 - setup the srcnat on both Mikrotiks Step 2 - Define IPSEC policies Continues in the next post...

...continues

Step 3 - Define IPSEC peers Step 4 - Make sure your proposals are the same Notes
1) Adjust your WAN and Public IPs appropriately to your situation
2) The tunnel does not come automatically up. Try pinging from device in Lan1 to device in Lan 2 and vice versa.
3) If you are pinging from Mikrotik to Mikrotik, do not forget to set the Source address to your LAN range.

I did the above mentioned setup from scratch, so it should work as described.

I am using default configs. Once your tunnel is up and working, go ahead and make your own proposal, etc. to increase security from the default one.

Happy tunneling

Cheers,
B.

PS: This will work as long as your ISP does not change your assigned WAN ip. But if you are using public IP like described in the diagram above, it is likely that your ISP is using static assignments...

Well, whatever happened, the pictures are reshuffled and do not correspond to the actual steps (I am sure I inserted them correctly).

Anyway, it is still valid, just match the picture (filename below the picture) to the correct step. The filename always starts with the step number - e.g. 0-..., 1-..., etc.

Cheers,
B.