Hello everyone,

I am using the following: v5.22 on RB750GL

I have an ipsec tunnel established between the mikrotik and a cisco network at the other end that is not under my control.
I have been requested to NAT all of the traffic I am sending through the tunnel to a single src address that is routed through the cisco network.

I believe I have this setup properly with the following NAT rule

Chain: srcnat
src. Address: (/24 My Lan subnet)
Dst. Address: (/24 Subnet of the remote cisco network that I am accessing)
Action: src-nat
To Address: (/32 IP the cisco network admins gave us to NAT our ipsec traffic through)

When I send ICMP requests or perform a traceroute on any IP in the /24 cisco network from my lan I see the packets being sent and the packet count rising on the above rule, however I do not get any replies.
I have not yet gotten confirmation from the cisco admins if they are receiving these packets on their end or not.

I believe the machines at the other end are receiving those packets, and replying to them with the destination address set to the IP that we are natting out traffic through.
Past this if the packets are directed back over the ipsec tunnel I'm not sure if the router would know which internal PC to forward the packet back to.
There also is currently no interface on the router configured with that IP.

Am I missing a rule here? Or am I just way off?

Thanks for any assistance you can provide.

Has anyone ever tried to do this?
I just need to know if it's going to be possible or not.
This is advanced ipsec configuration but it seems like something that we should be able to do.

Do your firewall rules allow forwarding of the response packets from the tunnel to the internal network?
Also try to use masquerade instead of src-nat...

The problem with masquerade is that it uses an interface and IP that is assigned to that interface to NAT with.
Because this is an ipsec tunnel there is no physical or virtual interface for the connection.

This is a cisco thing and I'm trying to replicate it on Mikrotik but I'm not sure if it's possible.

just stumbled on this post and I have the exact issue. Tunnel is up, SA's are installed but I need to NAT my LAN out the tunnel to a single IP. Masquerade would work if the IPSec tunnel had a local interface with the NAT IP assigned to it. Since we don't have an int when the ipsec tunnel is built, that doesn't work. We tried the same thing to src-nat out but it doesn't work.

Anyone else have a wonderfully easy (or even moderately challenging) solution to this?

I wish!
I never did get this to work, I was really wanting to be able to use a $50 device for this VPN tunnel but we just couldn't get it to work. This was to be used for an eChart medical service.

We ended up getting a $400 Fortinet that allowed us to easily NAT through a specific IP just like we needed.

If anyone knows a way to make this work I'd love to know.

scriptcypher, looks like I just figured it out.

Basically, nat'ing happens before the ipsec policy. So take your local LAN subnet and src-nat it out to the NAT IP provided by the Cisco you do not control. In the IPSec policy, rather than having your LAN subnet at the local src address, set it to the NAT IP provided by the other company. I just about fell out of my chair when I got it to work. I've been Googling all day trying to piece together a way to make it work too and finally figured it out!

I hate to whip up an old thread but maybe there are some new eyes out there. I had already done what was described in the last post, I have set up many of the setups with ASAs already but wanted to try a much cheaper alternative. I can get this to work to a point, while you do have to do a srcnat and change the ip and build you tunnel for that, and from the mikrotik side it works fine I can ping stuff on the remote end and all is well, however when the other side pings my side, there pinging the nat address and I see that address come across the tunnel and shows on the outside interface. I have tried all sorts of nat stuff to try to convert it back to the correct IP but no luck. I guess when I send from my end it knows what to look for when they come back but when they start somewhere else it doesn't know.

Anyway if anyone has any ideas, while it may just be something simple I am missing.
thanks

mjgraham, in your ipsec policy, the set src address to that nat'd ip on the other side of the tunnel. The dst addy will be the subnet at the other location. The sa src addy is your public and the sa dst addy is the public on the other firewall.

In ip firewall nat have a policy like this:

chain=srcnat action=src-nat to-addresses=NAT IP the other side is expecting (should be the src addy in ipsec policy)
src-address-list=internal lan subnet dst-address-list=remote subnet (should match the dst addy in ipsec policy) log=no
log-prefix=""

Sounds like you may have it this far though. In my use case, the remote end behind a cisco doesn't need to reach my internal lan. If they did, take the above rule and change it to a dst nat rule. Any thing bound for your nat ip on the cisco side coming from your remote subnet, tell it to dst-nat to your lan.

Thanks for you input, I did actually get it working today, saved the config started both ends fresh and did what I thought I had done and didnt work but I think what it was is the order they are in the firewall list. I will put the config up when I get it for sure, the bad thing is it was one of those I know I tried this 100 times then starts working for no reason.
Your right I had a srcnat to send my ip to them and a dstnat when they come back to me, but for some reason it never hit the dstnat. I could see the packet on my end but didnt know what to do with it, anyway we will see tomorrow, I was just lucky to have an asa to test with.

Well I don't understand I have redone the setups 5 times on both ends and it works fine, just like it should have the first time. Here is a little back ground of this test. Normally I would not have access to anything on the remote end so until I test in the field I will have assume that it will work, it did on the test bed.

my network: 192.168.1.0/24
remote network: 192.168.2.1/24

my outside ip: 1.1.1.1/30
remote ip :1.1.1.2/30

nat 192.168.1.3 -> 10.1.1.3

here are the commands that I used to set it up, other things I learned that seem obvious but in a test setup you don't always think about it, like default routes, yea there plugged right into each other but it makes a difference. Anyway if anyone needs it or has questions here is what I did. I was able to push about 17Mbit encrypted throught this aes-256 , 128 was a little faster 19Mbit and 3DES was about 7Mbit. Pretty good for a $60 device.

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr

/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input in-interface=ether1 src-address=1.1.1.2
add action=drop chain=input in-interface=ether1 log=yes log-prefix=input-drop-
add chain=forward dst-address=10.1.1.3 in-interface=ether1 src-address=192.168.2.0/24
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid log=yes log-prefix=forward-invalid-
/ip firewall nat
add action=src-nat chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.1.3 to-addresses=10.1.1.3
add action=dst-nat chain=dstnat dst-address=10.1.1.3 src-address=192.168.2.0/24 to-addresses=192.168.1.3
add action=src-nat chain=srcnat dst-address=0.0.0.0 src-address=192.168.1.0/24 to-addresses=1.1.1.1
/ip ipsec peer
add address=1.1.1.2/32 dpd-interval=disable-dpd enc-algorithm=aes-256 nat-traversal=no secret=test send-initial-contact=no
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=1.1.1.2 sa-src-address=1.1.1.1 src-address=10.1.1.3/32 tunnel=yes
/ip route
add distance=1 gateway=ether1