IKEv2 -> VLANs filtering

fpawlak · February 16, 2021, 3:14pm

Hi guys

I’ve played a little with IKEv2. I’m able to connect to mikrotik router with IKEv2 (using ‘digital signature’ or ‘eap radius’).
Now I’m looking for some guides how can I filter access to specific VLANs from IKEv2 clients. I know that, I can add firewall rules like:

#ALLOW VPN to VLAN10
add action=accept chain=forward ipsec-policy=in,ipsec out-interface=VLAN10 src-address=VPN_IP_POOL
#ALLOW VPN to VLAN20
add action=accept chain=forward ipsec-policy=in,ipsec out-interface=VLAN20 src-address=VPN_IP_POOL

But I want to set different access for different users - eg. user1 should have only access to VLAN10, while user2 only to VLAN20. How can I do that?
I can create different identities under /IP/IPsec/Identities and modeconfs under /IP/IPsec/Mode Configs so each user get own IP and routes to specific vlans. But it isn’t safe - client can manualy change ip or add route. Also firewall rules won’t help - users still can change his ip/toutes

#ALLOW user1 to VLAN10 (based on his IP)
add action=accept chain=forward out-interface=VLAN10 src-address=10.0.1.0/24
#ALLOW user2 to VLAN20 (based on his IP)
add action=accept chain=forward out-interface=VLAN20 src-address=10.0.2.0/24

While using L2TP or PPTP I was able to create under /PPP/Interface ‘L2TP/PPTP Server binding’ interface based on username or define under /PPP/Profiles PPP profile wich automaticly adds client to interface lists so in firewall I could use rules like:

#ALLOW user1 to VLAN10 (based on interface binding)
add action=accept chain=forward in-interface=l2tp-user1 out-interface=VLAN10
#ALLOW user2 to VLAN20 (based on interface lists)
add action=accept chain=forward in-interface-list=VLAN20-vpn_users out-interface=VLAN20

Are there any similar options for IKEv2? Or should I use completely another approach? Wich approach?

I have never play with Dot1X, so I don’t know if it is possible to use it over VPN. Probably not, while in server config you have to set an interface.

You may ask me, why I want to use IKEv2 not L2TP/ipsec

possibility to push routes&dns over modeconf
multiple connections from the same WAN IP (yes, I’ve seen workaround for it on this forum)
better performance
better for road warriors using 3g/lte as WAN access (roaming and reconnection)

Thanks for any help

sindy · February 16, 2021, 3:39pm

You can create several separate /ip ipsec policy group items, and create a policy template with dst-address restricted to a long prefix (a small “subnet”) for each group. The policy-template-group parameter of each /ip ipsec identity row will point to one of these groups. This will prevent the clients from assigning a different address, as their request for a policy matching that address will be rejected.

Identities of clients with the same access permissions will share the same group.

IPsec tunnels are L3 ones, so 802.1x is completely unrelated.

fpawlak · February 16, 2021, 4:59pm

Sindy thanks a lot for your quick response.
It looks good
So for main VLAN I can use identity with Auth. Method ‘eap radius’ so all domain users get access to the main VLAN.
And for the rest VLANs I’ll have to define separate identities for each user with Auth. Method different than ‘eap radius’
Am I correct?

Access for main VLAN only is for road warriors (circa 90-95% of all vpns)
Access for specific VLANs is needed only for administrations purposes, and for external support maintaining devices&machines in company.

sindy · February 16, 2021, 5:39pm

Sounds correct to me, unless RouterOS supports some RADIUS parameter used to override the policy-template-group value of the identity row, which would allow you to use eap-radius for all types of clients.