IPSEC between MKT and Fortigate problem

Hello Everybody!

network topology:
192.168.0.0/21—Fortigate------[ipsec]------MKT------192.168.88.0/24

I have Mikrotik RBwAPR-2nD&R11e-LTE with LTE WAN (dynamic WAN IP) and I configured ipsec tunel between it and Fortigate. Fortigate supports dynamic IP peer, so I used as remote IP buildin-cloud feature of MKT: xxxx.sn.mynetname.net. On MKT IP->IPSec->Policies->SA Src.Address was set as 0.0.0.0. IPSec peers are connected succesfully. Problem: I can ping MKT lan interface (e.g. from 192.168.0.21 to 192.168.88.1), but I can not ping hosts from 192.168.0.0/21 to 192.168.88.0/24. This is not problem with Windows firewall of hosts or blocking ICMP.
Results:
192.168.88.254 (PC) to 192.168.0.21 (PC) → ping OK
192.168.0.21 (PC) to 192.168.88.254 (PC) → ping failed
192.168.0.21 (PC) to 192.168.88.1 (MKT LAN INT) → ping OK

Problem is resolved by using of below rule:

/ip firewall
filter add chain=forward dst-address=192.168.88.0/24 in-interface=lte1 ipsec-policy=in,ipsec src-address=192.168.0.0/21

Two question:

1. Why I need this rule? I red many kb and ipsec examples and only one (found before the moment) has this forward ipsec traffic rule
2. I tried to apply rule for filter traffic from 192.168.88.0/24 to 192.168.0.0/21. How should be rule for filter this traffic?

/ip firewall
filter add chain=forward dst-address=192.168.0.0/21 in-interface=lte1 ipsec-policy=in,ipsec src-address=192.168.88.0/24

This rule is not working (statistics are not increasing).

kind regards
LM

To give you an exact answer I would have to see the whole output of

/ip ipsec export
/ip address export
/ip firewall export
/ip route export

commands, with passwords and public addresses replaced by bogus ones to keep things secure, but there are several things which are very different in Mikrotik’s implementation of IPsec as compared to other VPN implementations and even other IPsec implementations.

Other VPNs usually use a virtual interface with its own IP configuration to represent the tunnel. So if you want to send a packet through a tunnel, you indicate a route through a gateway in the IP subnet of that virtual interface. And received packets which came through the tunnel get to the firewall twice - once still encrypted, marked with the physical interface as incoming interface, and with the “outer” source and destination sockets, and another time already decrypted, marked with the virtual interface as the incoming interface, and with the “inner” source and destination socket.

In Mikrotik’s IPsec implementation, even a packet which came through an IPsec tunnel is marked with the physical interface and is only offered to the firewall rules once, after decryption. So by the incoming interface alone, you cannot distinguish between a packet which came through that interface unencrypted (like e.g. a DNS response from public DNS server) and a packet which came through the same physical interface but encrypted and encapsulated into ESP further encapsulated into UDP and got to the firewall after decapsulation and decryption. To discriminate between these two cases, you need to use the ipsec-policy attribute of the packet, where packets with value “ipsec” are the decrypted ones and packets with value “none” are the other ones. It appears that you could use the “inner” sockets to identify decrypted packets, but security-wise it is a bad idea and the ipsec-policy attribute is there on purpose.

So I suspect that your existing firewall rules at some stage drop all packets coming to the internet-facing interface which didn’t fit to some of the “accept” rules preceding the final “drop the rest” one, which includes decrypted ipsec packets. By adding the rule you have mentioned before that “drop the rest” rule, you provide an exception for the decrypted IPsec packets which come through the same interface - although it is not displayed in configuration export, the default action for a firewall rule is “accept”.

The difference between pinging Mikrotik’s own IP and other IPs in the same subnet is that incoming packets towards own IPs are handled by firewall chain “input” while incoming packets towards other IPs are handled by firewall chain “forward”.

To avoid further surprises once you get past the “pinging phase”, I’d recommend you to read carefully chapter 16.5.4 of the IPsec Wiki manual - https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#NAT_and_Fasttrack_Bypass. In short:

• while icmp does not constitute a trackable “connection”, other protocols do, and some ways of handling connection-tracked packets (namely, fasttracking) collides with IPsec policy matching, so you have to prevent fasttracking of IPsec packets; to compensate the resulting slowdown a small bit, you may want to speed their processing up a bit by preventing them from being connection-tracked at all.
• while packets sent from the IP address of the internet-facing interface are not source-NATed (no point in doing that), packets forwarded through that interface typically are. The problem is that IPsec policy matching takes place only after eventual source-NAT operation has been applied. So for going-to-be-encrypted packets routed out through the internet-facing interface, you have to set an exception from source-NAT so that the IPsec policy could recognize them and encrypt and encapsulate them before actually sending them out.

/ip ipsec export:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm
lifetime=1d pfs-group=modp1536
add enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=12h name=
proposal1 pfs-group=modp1536
/ip ipsec peer
add address=X.X.X.X/32 dh-group=modp1536 enc-algorithm=aes-256 secret=\

---

/ip ipsec policy
add dst-address=192.168.0.0/21 sa-dst-address=X.X.X.X sa-src-address=
0.0.0.0 src-address=192.168.88.0/24 tunnel=yes

/ip address export:

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=
192.168.88.0
add address=172.16.8.1/24 interface=lan-guests network=172.16.8.0

/ip firewall export:

/ip firewall address-list
add address=X.X.X.X/28 list=true-ip-list
/ip firewall filter
add action=accept chain=forward comment=vpn01 dst-address=192.168.0.0/21
in-interface=lte1 ipsec-policy=in,ipsec src-address=192.168.88.0/24 → > this rule is not working
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept established,related”
connection-state=established,related
add action=accept chain=input disabled=yes in-interface=lte1 protocol=icmp
add action=accept chain=input comment=“Allow remote management”
connection-state=new dst-port=80,22 in-interface=lte1 log=yes protocol=tcp
src-address-list=true-ip-list src-port=“” → > this rule is used for remotely management of device and it’s not working
add action=accept chain=forward comment=vpn01 dst-address=192.168.88.0/24
in-interface=lte1 ipsec-policy=in,ipsec src-address=192.168.0.0/21 → > this rule is needed for traffic from 192.168.0.21 to 192.168.88.253
add action=drop chain=input comment=“defconf: drop all from WAN” in-interfa
lte1
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,relate
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-st
invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=lte1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.140.0/24 src-address=
192.168.88.0/24
add action=accept chain=srcnat dst-address=192.168.0.0/21 src-address=
192.168.88.0/24
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=
192.168.0.0/21
add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interf
lte1
add action=masquerade chain=srcnat disabled=yes out-interface=lte1 src-addr
172.16.8.0/24

/ip route export is empty - I red that there is no need to configure route in case of ipsec

Generally I used default config and adding ipsec.
Rule for remotely management is working on another MKT (RB950), but is not working on this LTE MKT. Does this LTE device have something else for configuration?

I need help with:

1. Why first rule vpn01 is not working
2. Why rule for remote management is not working

kind regards

You don’t need the in interface in your rules.
Try this…

/ip firewall address-list
add address=192.168.88.0/24 list=TikLocal
add address=192.168.0.0/21 list=FortFar
/ip firewall filter
add action=accept chain=input dst-address-list=TikLocal ipsec-policy=in,ipsec src-address-list=FortFar
add action=accept chain=forward dst-address-list=TikLocal ipsec-policy=in,ipsec src-address-list=FortFar
/ip firewall nat
add action=accept chain=srcnat dst-address-list=TikLocal  src-address-list=FortFar

Drag those rules to the Top in Winbox.

@eLM0,

add action=accept chain=forward comment=vpn01 dst-address=192.168.0.0/21
in-interface=lte1 ipsec-policy=in,ipsec src-address=192.168.88.0/24

>
> -> this rule is not working

It cannot work (the way you expect) because you've specified source and destination IP subnets relevant to packets **sent by Mikrotik** towards Fortinet but the in-interface and ipsec-policy=in,ipsec conditions refer to packets **received by Mikrotik**. But one of the rules provided by @gotsprings replaces this one.
* Unfortunately, @gotsprings has made a similar mistake as above in his last rule, you have to exclude from the (otherwise applied) srcnat the packets sent with Mikrotik subnet's IP as source and Fortigate subnet's IP as destination, so that last rule should actually read

```text
/ip firewall nat
add action=accept chain=srcnat src-address-list=TikLocal  dst-address-list=FortFar

NB: instead of dragging rules to top using mouse in Winbox/WebFig, you can add them using CLI starting from the bottom of the list and add a parameter “place-before=0” to each “add”.

add action=accept chain=input comment=“Allow remote management”
connection-state=new dst-port=80,22 in-interface=lte1 log=yes protocol=tcp
src-address-list=true-ip-list src-port=“”

>
> this rule is used for remotely management of device and it's not working

Here I suppose (but am not sure) that the rule dosen't work because of the 'src-port=""' condition. To permit any source port which is obviously the intention, just omit that condition completely. That rule (after the suggested modification) allows management access through the wan interface (lte1) even for packets which come in directly, i.e. not via IPsec, is that the intention?
* > ```text
/ip route export

is empty - I red that there is no need to configure route in case of ipsec

That’s correct, IPsec policies “steal” matching packets from routing.

Thank you for reply.

;;; vpn01
chain=forward action=accept src-address=192.168.88.0/24 dst-address=192.168.0.0/21 log=no log-prefix=“” ipsec-policy=out,ipsec

Statistics is now increased for this rule. Having of experience with working with Cisco devices, I used always “in” direction in rules

;;; Allow remote management
chain=input action=accept connection-state=new protocol=tcp src-address-list=true-ip-list in-interface=lte1 dst-port=80,22 log=yes
log-prefix=“”

I omiited src-port=“”, but after removed it, I can not access to ssh or http to WAN of MKT still. I need it for remote management from trusted ip in case of e.g. ipsec failure.

• Statistics is now increased for this rule.

Fine, but are you sure you have changed that half of the rule which you actually wanted? You have described the role of this rule as permission of access to Mikrotik but the way you’ve modified it, it permits packets in the Mikrotik subnet → Fortigate subnet direction instead. It is the rules by @gotsprings what permits establishment of tracked connections initiated by devices behind Fortigate towards devices behind Mikrotik (forward) and towards Mikrotik itself (input), but connections cannot be initiated in the opposite direction without your rule as it looks currently. So if you want machines behind Mikrotik and machines behind Fortigate to talk freely, regardless who initiates the connection, keep things as they are, otherwise you should remove your rule.
NB: The only role of the “ipsec-policy=out,ipsec” parameter here is to prevent the packets being sent out via lte1 unencrypted while the IPsec tunnel is eventually down. It is good to have it there, I’m just making sure you realize its meaning.

• After I’ve removed it, I still can not access ssh or http to WAN of MKT.

I’ve double-checked the rules in the “input” chain of your /ip firewall filter, and I cannot see the reason there. But there may be a number of other reasons to this, some of them related to your LTE provider’s behaviour. So first, have you got a static public address assigned, or at least do you get a public address and do you use some dynamic DNS client so that you could be sure that you are really attempting to connect to your own device? If you are bullet-proof about this, are you sure that the LTE provider does not block these ports? The statistics of your rule should give you an answer - if each ssh or http establishment attempt increments that rule’s packet counter, then the LTE part is OK. If this is the case, what is the outpur of

/ip service export verbose

? If the “address=” parameter has a non-empty contents for http and ssh service, and that contents does not match the contents of your true-ip-list, you’ve found the reason. Otherwise I am out of ideas.

I was looking at my link to the office.

The office is behind a FiOS router.
So I had to use L2TP as the connector.
Wrote a firewall rule to only allow my home address to connect to the l2tp port. (And a script to update should my home IP change.)
Then I added the IPSEC onfig for the subnets.

@sindy

1. I removed interface from rules vpn01 as was described into https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#NAT_and_Fasttrack_Bypass

 
 1    ;;; vpn01
      chain=forward action=accept connection-state=established,related,new 
      src-address=192.168.88.0/24 dst-address=192.168.0.0/21 log=no log-prefix="" 
 2    ;;; vpn01
      chain=forward action=accept connection-state=established,related,new 
      src-address=192.168.0.0/21 dst-address=192.168.88.0/24 log=no log-prefix=""

Wiki omited connection state=new. Without new state traffic from 192.168.0.21 to 192.168.88.253 is not possible.

2. I’ll check a possibility of service blocking in my ISP.
3. Regarding to my configuration: IP->IPSec->Policies->SA Src.Address was set as 0.0.0.0 - it is correctly?

Wiki omited connection state=new.

No. Wiki has not omitted it, it is not there intentionally. See why here: http://forum.mikrotik.com/t/ipsec-ikev2-tunnel-tuning/115254/1

IP->IPSec->Policies->SA Src.Address was set as 0.0.0.0 - it is correct?

Like at many other places, 0.0.0.0 means “choose automatically” here, so since your configuration is quite simple, RouterOS has a single choice which thus cannot be wrong.