Page 1 of 1
Use different src-address (subnet) for IPsec policy
Posted: Thu Mar 31, 2022 9:13 pm
by OriiOn
I need to set up a new VPN with a partner (using a Cisco ASA), and they say the network endpoint I want to use 192.168.2.0/24 is already in use. They ask me to use a different network like 192.168.22.0/24, or maybe even only a single address 192.168.22.20/32. How would I do that?
Re: Use different src-address (subnet) for IPsec policy [SOLVED]
Posted: Thu Mar 31, 2022 9:37 pm
by Sob
a) Renumber your network and everything in it
b) NAT is your friend:
/ip firewall nat
add chain=dstnat src-address=<remote subnet> dst-address=192.168.22.0/24 action=netmap to-addresses=192.168.2.0/24
add chain=srcnat src-address=192.168.2.0/24 dst-address=<remote subnet> action=netmap to-addresses=192.168.22.0/24
Re: Use different src-address (subnet) for IPsec policy
Posted: Wed Apr 06, 2022 6:57 am
by mjch
... ok, I've been struggling with this exact issue for the last month or so ... I guess I wasn't expecting to need a _second_ nat rule to do the reverse.
I do have one final question though - which network block needs to be on my local end of the IPSec policy? using the example CIDRs here, would I want the non-NAT block (192.168.2.0/24) or the NAT block (192.168.22.0/24)? I'm assuming we want the policy to match traffic after the NAT rule has taken effect, so the policy should match 192.168.22.0/24 source addresses?
UPDATE - yes, this worked, I now have a functional IPSec tunnel with a policy for 192.168.22.0/24 and NATted traffic traversing it