IPIP over IPsec: How to block unencrypted traffic?

RouterOS General
1

I’ve setup an IPIP tunnel over transport mode IPsec between two Mikrotik boxes. Works like a charm.

Now I wanted to create firewall rules that only allows ESP and UDP500 packets between these two peers, to make sure any non-encrypted packets doesn’t leak on the untrusted side of the routers.

This was never a problem back on the old days when Linux was using KLIPS for IPsec which gave me ipsec0 interface which the tunnel traffic was sent and recieved on.

However I suspect ROS is using NETKEY where it seems like there are no virtual IPSec interfaces any longer. That means that in my case both the IPIP traffic generated by the router and the resulting ESP packets after encryption appears to be leaving on the same interface (Ether1).

I wanted to have three simple rules like:

chain=output action=accept protocol=ipsec-esp out-interface=ether1
chain=output action=accept protocol=udp out-interface=ether1 dst-port=500
chain=output action=drop out-interface=ether1

However as ROS seems to be using the physical interface ether1 as the outgoing interface even for traffic that is never supposed to leave the firewall in that shape on the physical interface, my drop rule drops my IPIP traffic as well!

So, how do I write a rule that stops unencrypted IPIP traffic from leaving the router on Ether1, while allowing the ESP traffic to leave?

IPSec transport mode (block unencrypted traffic)
2

After a lot of googeling and some discussions with support I came to the conclusion that it's currently not possible to do this on RouterOS.

The recommended way on Linux systems with NETKEY IPsec and iptables is to use the "policy" module, which can match traffic only if it has a corresponding IPsec SA established. That way you can write rules that only matches traffic comming from / going into an IPsec tunnel with rules like:

Allow outgoing IPIP (protocol 4) traffic over IPsec.

iptables -A OUTPUT -m policy --pol ipsec --dir out -p 4 -j ACCEPT

I've proposed that Mikrotik adds the policy module so we could write rules like:

chain=output action=accept policy=ipsec policy-dir=out protocol=ip-encap out-interface=ether1

To only allow traffic over an IPsec tunnel on RouterOS.