From default configuration:
add action=accept chain=forward comment=“defconf: accept in ipsec policy” disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” disabled=yes ipsec-policy=out,ipsec
Does it affect only for tunnel mode?
Thanks
no.
transport?
actually what it does?
Documentation clearly describes what it does:
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties
Matches the policy used by IpSec. Value is written in following format: direction, policy. Direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
in - valid in the PREROUTING, INPUT and FORWARD chains
out - valid in the POSTROUTING, OUTPUT and FORWARD chainsipsec - matches if the packet is subject to IpSec processing;
none - matches packet that is not subject to IpSec processing (for example, IpSec transport packet).For example, if router receives Ipsec encapsulated Gre packet, then rule ipsec-policy=in,ipsec will match Gre packet, but rule ipsec-policy=in,none will match ESP packet.
It shows excellent the process how it goes. Just i’m wondering in which scenario can i use like for example L2TP-IPSec or some other situacion.
That was my question
I have been testing many tunnel like EoIP-IPSec, IPIP-IPSec, L2TP-IPSec. Only i found that this rules makes traffic when i’m playing with tunnel mode, on any other it doesn’t make any traffic at all.
i’m waiting for your comment
This log comes form R1 and it says:
IPsec_IN = 0c:5b:54:40:0b:00 belongs to “R2”
IPSec_OUT = 0c:5b:54:98:f9:00 belongs to “cl1”
