Firewall blocking remote ipsec packages?

Beardmann · June 12, 2023, 7:38am

Hi there

I’m trying to setup ipsec to different networks with my RB4011iGS+ with FW 7.9.1
The destination networks are edge router products.
I can see that the tunnels are established and I am able to ping from the site where the mikrotik is installed, but not the other way.
And I am a bit at a loss as to why?
The plan is to allow all traffic between the ipsec networks: 10.10.10.0/24, 10.10.20.0/24, 10.0.1.0/24 and 10.0.2.0/24
The guides I have seen and read typically no firewall rules are created as a part of the setup, only the NAT rule…
So my guess it that my firewall rules is blocking some traffic towards the 10.10.10.0/24 network.

Is there a way to see packages blocked? ie. from specific sources which may help me figure out where this is blocked…

(and yes I am aware that the ipsec setup isn’t very secure… this will all change later)

Below is the ipsec config, I connect to two sites, one of which has two networks…

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 name=xxx1
add dh-group=modp2048 enc-algorithm=aes-128 name=xxx2
/ip ipsec peer
add address=1.1.1.1/32 name=xxx1 profile=xxx1
add address=2.2.2.2/32 name=xxx2 profile=xxx2
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=proposal1 pfs-group=modp2048
/ip ipsec identity
add peer=xxx1
add peer=xxx2
/ip ipsec policy
add dst-address=10.10.20.0/24 peer=xxx1 proposal=proposal1 src-address=
10.10.10.0/24 tunnel=yes
add dst-address=10.0.1.0/24 peer=xxx2 proposal=proposal1 src-address=
10.10.10.0/24 tunnel=yes
add dst-address=10.0.2.0/24 peer=xxx2 proposal=proposal1 src-address=
10.10.10.0/24 tunnel=yes

Firewall stuff…

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=
yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

Any ideas is very welcome…

sindy · June 12, 2023, 12:16pm

If there is no NAT on the network path between the Mikrotik and the remote peer(s), bare ESP is used to transport the encrypted payload, so you need to add a rule protocol=ipsec-esp action=accept before the last action=drop one in chain input of /ip firewall filter.

If you are not sure, look what /ip ipsec installed-sa print shows you - if src-address and dst-address are shown without ports, this is the case.

When there is NAT, the ESP gets encapsulated into UDP and uses the same ports like the “control session” so no extra firewall rules are necessary if both peers act as initiators so both actively create dynamic pinholes in their respective firewalls.