I just set up my first pair of Mikrotik RBs. I’ve mounted a VPN tunnel between them (through public internet), using Winbox, in the ‘IP tunnel’ tab in the ‘Interfaces’ menu. It’s been very esay to set up the IPIP tunnel with IPsec encryption, it works well and I can ping between both sides (after declaring the routes on each router).
But there’s something tht worries me: I haven’t touched anything on the Firewall and it’s working ‘out of the box’. Why? Which ‘default’ roule allows the tunnel to go up?
I thoght that I should open port 500 to the public IP address of the other side…
What’s the difference between an IPIP tunnel and L2TP for example?
Post both configurations (see my automatic signature below to see how to prevent posting sensitive information), as otherwise it is just guesswork, as follows:
If you have default firewall rules on both machines, I guess that both Mikrotiks have a public WAN address and both act as IPsec initiators, hence both send packets from own UDP port 500 to peer’s IP address and UDP port 500, so the tracked connections at both firewalls get created due to both sending those packets on their own; for ESP (the transport protocol used by IPsec for the payload if there is no NAT between the peers), this works because you have configured keepalive on the IPIP tunnel, so again both peers are sending IPIP transport packets on their own, creating a tracked connection.
The default firewall rules drop only forwarded traffic which came in via interfaces listed in the /interface list named WAN; this is not the case for the IPIP tunnel unless you’ve added it there.