blocking traffic when ipsec/ikev2 is down

Hello,

I’m using the following to route an address list out an ipsec/ikev2 tunnel:

/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=!internal new-connection-mark=nordvpnus passthrough=yes src-address-list=nordvpnus
/ip firewall mangle add action=change-mss chain=forward connection-mark=nordvpnus new-mss=1398 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1399-65535
/ip ipsec mode-config add connection-mark=nordvpnus name=nordvpnus responder=no

This works as expected when ipsec is up, but when down traffic still leaks out. Everything I’ve tried to block this, also blocks the address list from getting through ipsec as well.

Looking into postrouting now, but feel like I’m making this harder than it needs to be.

Thanks.

Ok, I think I have a working solution, or at least it appears to work, I need to check to see if any requests are getting out, however none are not being returned.

Since ipsec sets up src-nat on connect, I added to my nat external interfaces !addresslist to prevent src-nat.

This feels sloppy somehow. This means I have to create another address list to group together all that I do not want src-nat’d.

Thanks.

To do that I put in NAT on the top a line that sent traffic marked for IKEv2 to IP 127.0.0.1 src-nat.

I didn’t play much with RouterOS as IKEv2 client, but shouldn’t this work?

/ip firewall filter
add action=reject chain=forward connection-mark=nordvpnus ipsec-policy=out,none reject-with=icmp-network-unreachable

In filter you don’t know yet if the Dynamic NAT are already generated and in place if I have the packet flow order correct.

Then this rule block all traffic for that connection-mark and I could work if !ipsec-policy=out,none was possible.

Oops, my bad. I forgot about NAT. And direction too. Double mistake.