Site-to-Site VPN between Mikrotik and Wathguard

I've built an IPSEC site-to-site vpn between a Mikrotik router 450 series ( remote site ) and a Watchguard M series firewall. VPN tunnel works fine and established, only one thing left:

With a test setup we are able to get a successful phase 1 & phase 2 negotiation from a test mikrotik to the watchguard, but where unable to pass internet traffic.
Some website filtering on remote site. Reason is not clear.


  • Options

    Reason: the reply packets will go out the Internet connection at the other end.

    For a normal (non-zero route) BOVPN you need an entry on the incoming HTTP/HTTPS policy with a "Set source IP" entry to make the reply packet from the Mikrotik go back over the BOVPN, not out the Mikrotik Internet connection.

    On the SNAT used for your incoming HTTP/HTTPS policy select "Set source IP" enter a value - discussed below

    If the BOVPN Tunnel Local setting is the trusted subnet, set the "Set source
    IP" value to the IP addr of the trusted interface.
    (Actually it can be any IP addr from the trusted subnet, but using the
    trusted interface IP addr seems more logical to me)

    Now when the packet goes down the BOVPN, the source IP addr of the packet
    will be something from your firewall (the trusted interface IP addr), and thus the reply packet will be routed back over the BOVPN to your firewall, where it will then be Dynamic NATed and routed back to the session initiator.

Sign In to comment.