Firewall rules for ipsec site2site

tsafx86 · March 19, 2014, 7:17am

Configured vpn by ipsec site to site.

I created rules on one of mikrotik. It will first mikrotik.

 0   ;;; default configuration
     chain=input action=accept connection-state=established

 1   ;;; default configuration
     chain=input action=accept connection-state=related

 2   chain=input action=accept src-address="IP second microtik"

 3   ;;; Allow IKE
     chain=input action=accept protocol=udp dst-port=500

 4   ;;; Allow IPSec-esp
     chain=input action=accept protocol=ipsec-esp

 5   ;;; Allow IPSec-ah
     chain=input action=accept protocol=ipsec-ah

 6   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=10m dst-port=22

 7   chain=input action=accept protocol=tcp dst-port=22

 8   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22

 9   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22

10   chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22

11   chain=input action=drop in-interface=ether1

If you turn off and on 11 rule on first mikrotik, vpn is working.
In sniffer I see that ESP packages send from second mikrotik to first mikrotik.
I can’t understand why 4 rule doesn’t work.

CelticComms · March 19, 2014, 11:52am

Do you have the correct IP for the second RouterBoard in rule 2? If you do it shouldn’t even need rule 3 to work!

tsafx86 · March 19, 2014, 12:06pm

In 2 rule, I hidden it.

May be this is a bug?

efaden · March 19, 2014, 3:03pm

Your problem is that your not allowing the actual decoded traffic in… You are allowing the encoded traffic, but if you follow the traffic flow diagram you can see that ipsec decoded packets appear as “input” on the external interface. Thus you need a rule like
/ip firewall filter
add chain=input src-address=10.0.0.0/24 in-interface=ether1-gatewayOr something like that… its a bit odd, but its the way it works in ROS.

CelticComms · March 19, 2014, 3:42pm

The decrypted traffic is routed to the input or forward chain depending on the destination, so you would need input/forward chain rules to accept that traffic. It isn’t clear to me if you are testing traffic to the router or to a LAN behind the router as implied by mention of “site to site”.

efaden · March 19, 2014, 3:45pm

Good point.

Sent from my SCH-I545 using Tapatalk

tsafx86 · March 21, 2014, 8:45am

You are right. I let the traffic from your LAN and IPSec earned.

/ip firewall filter
add chain=input comment=msk.hq src-address=10.8.0.0/13