IPSec features in default configuration

RouterOS Beginner Basics
1

Hello people,
I have bought the latest device RB4011iGS-5HacQ-2HnD-In which is really great! This is a second RB device in my hand.
When I been configuring it for my personal SOHO I looked into DefConfig first and noticed some things. I have looked through wiki page and could not find explanations for couple things.

  1. The default firewall rules include two rules:
    /ip firewall filter
    add action=accept chain=forward comment=“defconf:Accept in ipsec policy” ipsec-policy=in,ipsec
    add action=accept chain=forward comment=“defconf:Accept out ipsec policy” ipsec-policy=out,ipsec
    Question. What are they for? What do they do?

  2. The “masquerade” action for NAT.
    The wiki page for Masquerade (https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Masquerade_2) says NAT rule is following
    /ip firewall nat add chain=srcnat action=masquerade out-interface=Public
    but “DefConfig” rule from manufacturer differs from that. The “DefConfig” rule is:
    /ip firewall nat
    add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
    Question. What does “ipsec-policy=out,none” parameter do?

Many thanks for Your answers.

2

What ipsec-policy parameter do is described in the firewall manual:
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties


2.
Now that you know what ipsec-policy means, read here why packets matching ipsec policy must not be NATed
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#NAT_and_Fasttrack_Bypass

3

Thanks,
How I caught idea the rules

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

turn forwarding on the chains matching IPSec policy that will be used decapsulation or encapsulation.
The “ipsec-policy=out,none” parameter in masquerade rule enables NAT for chains which match ipsec policy.
If I will need some VPN tunnel I have add two mentioned rules into the firewall and masquerade rule must contain option “ipsec-policy=out,none”.
Is it right?

4

ipsec-policy=out,none menas that rule will NAT only those connections that are not matched by any ipsec policy.

5

Many thanks!