On 01/24/2014 01:33 AM, Scott Lambert wrote:
On Thu, Jan 23, 2014 at 11:09:16AM -0800, Kristian Hoffmann wrote:
Not sure if this applies to your configuration, but I recently ran into
the same symptom in two similar cases. The short version is, regardless
of what the config and logs say, the IPSec packets will have a source IP
of the pref-src value for the route matching the IPSec endpoint. Example...
/ip addr add address=1.2.3.4/24 interface=wan
/ip addr add address=2.2.2.2/32 interface=wan
/ip route add dst-address=0.0.0.0/0 gateway=1.2.3.254
This is true if you set the "generate policy" option in the IPSec Peer.
If you manually configure the policy, you define the source IP to be
used as the "SA Src Address" field. While I haven't tried it, I would
imagine that some creative policy routes and mangle rules, you could
cause the router to use the correct IP to reply to any given request
with the proper IP. This is completely untested, but something like this:
/ip address
add address=1.2.3.4/24 interface=wan
add address=2.2.2.2/32 interface=whatever
/ip route
add gateway=1.2.3.1 comment="default gateway"
add gateway=1.2.3.1 pref-src=2.2.2.2 routing-mark=IPSEC
/ip firewall mangle
add chain=input dst-address=2.2.2.2 \
connection-mark=no-mark \
action=mark-connection \
new-connection-mark=IN_2
add chain=output \
connection-mark=IN_2 \
action=mark-routing \
new-routing-mark=IPSEC
Something like that anyway should work. By the way, this is one of the
topics (policy routing) that we will cover in class shortly in the MTCRE
course in Salt Lake coming up in February.
--
Butch Evans
702-537-0979
Network Support and Engineering
http://store.wispgear.net/
http://www.butchevans.com/
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
