I have an unusal situation here. I am adding a new application service provider a customer's router configurations. The problem I have is that 192.168.0.0 is configured on both sides of the peer IPSec vpn. This is the address scheme used at hundereds of the customer's branch locations. The application service provider insists if I dont use NAT to allow the branch network to communicate with the remote network the connection will not work. I agree with them.

To impliment the NAT, I am trying to use a VLAN adapter to hold the neutral IP (172.16.0.0/27). From there I need to NAT the local network (192.168.0.0/27) to VLAN1 (out interface). Since the VLAN interface is holding the IP configured in the per IPSec policy setting any data sent to the VLAN interface should transport to the remote network.


With the configuration below, I am able to ping the remote network from the router using the VLAN interface . However, I am not able to get data to flow from the local network to the remote network. I can ping the vlan interface from the local network.

Is there a way to impliment NAT in this manner on Mikrotik?
Is there a better way to do this?

TIA Jon



#===================
#Interfaces
#===================
/interface ethernet
PR
#=======================
#Rename ether1 to public
set 0 name=public
#=======================
#Rename ether2 to internal
set 1 name=internal
#=======================
#Rename ether3 to spare
set 3 name=spare

#================================
#Add VLAN Interface for IPSec NAT
#================================
/interface vlan
add name=vlan1 vlan-id=1 interface=spare

#============
#IP Addresses
#============
/ip address
add address=1.0.0.2/28 disabled=no interface=public
add address=192.168.0.1/27 disabled=no interface=internal
add address=172.16.0.1/27 disabled=no interface=vlan1

#==============
#Define Gateway
#==============
/ip route
add dst-address=0.0.0.0/0 gateway=1.0.0.14
#??????????????????????????????????????????????????????
#Do I need a routing rule for the internal to vlan NAT?
#??????????????????????????????????????????????????????
#????????????????????????????????????????????????????????????
#Do I need a routing rule for the internal to remote network?
#????????????????????????????????????????????????????????????

#=========
#NAT Rules
==========
/ip firewall nat
#====================
#NAT Bypass for IPSEC
add chain=srcnat src-address=172.16.0.0/27 dst-address=10.10.10.0/27 action=accept
#===========================================================
#NAT rule for remote network (untested, probably won't work)
add chain=srcnat dst-address=10.10.10.0/27 out-interface=vlan1 action=masquerade
#======================================
#NAT rule for accessing public internet
add chain=srcnat out-interface=public action=masquerade

#=================
#Peer IPSec Config
#=================
/ip ipsec peer
add address=2.0.0.2/27:500 secret="insertsharedkeyhere" \
enc-algorithm=aes-256 hash-algorithm=sha1

/ip ipsec proposal
set default auth-algorithms=md5 enc-algorithms=3des

/ip ipsec policy
add src-address=10.10.10.0/27 dst-address=172.16.0.0/27 action=encrypt \
tunnel=yes sa-src=1.0.0.2 sa-dst=2.0.0.2

#=============================================================
#firewall rules to permit VPN traffic and private traffic
#(worked without it, but I have no firewall rules loaded yet)
#=============================================================
/ip firewall
add action=accept chain=input disabled=no protocol=ipsec-esp src-address=2.0.0.2
add action=accept chain=customer disabled=no dst-address=172.16.0.1/27 \
in-interface=public out-interface=vlan1 src-address=10.10.10.0/27