On 01/23/2014 11:58 PM, Butch Evans wrote:
This is true if you set the "generate policy" option in the IPSec Peer. If you manually configure the policy, you define the source IP to be used as the "SA Src Address" field. While I haven't tried it, I would imagine that some creative policy routes and mangle rules, you could cause the router to use the correct IP to reply to any given request with the proper IP. This is completely untested, but something like this:/ip address add address=1.2.3.4/24 interface=wan add address=2.2.2.2/32 interface=whatever /ip route add gateway=1.2.3.1 comment="default gateway" add gateway=1.2.3.1 pref-src=2.2.2.2 routing-mark=IPSEC /ip firewall mangle add chain=input dst-address=2.2.2.2 \ connection-mark=no-mark \ action=mark-connection \ new-connection-mark=IN_2 add chain=output \ connection-mark=IN_2 \ action=mark-routing \ new-routing-mark=IPSECSomething like that anyway should work. By the way, this is one of the topics (policy routing) that we will cover in class shortly in the MTCRE course in Salt Lake coming up in February.
I tried sa-src-address and policy routing. Neither worked for me. The logs say the src address is correct, but torch says otherwise.
-Kristian _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
