timjee
October 28, 2024, 7:52am
1
I am setting up an IPSec tunnel to Axis Security SSE platformhttps://docs.axissecurity.com/docs/configuring-ipsec-tunnels
The config seems pretty straightforward, and it does connect and seems to function, however I seem to have 3 issues that I need some assistance with
I’ve tried using Mode Configs to specify certain devices to route through this IPSec Tunnel, however when I add a Mode Config to the Identity the Profile never completes Phase2
If I use a Group Template, the profile doesn’t connect
When I have the IPSec connected as a standalone profile, the dst-nat rules seem to no longer accept traffic and I can’t access the mikrotik remotely
This is the IPSec configuration
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="AxisIPSec"
/ip ipsec peer add address=ipsec-proxy-geo.axisapps.io disabled=yes exchange-mode=ike2 name="Aruba Primary" profile="AxisIPSec"
/ip ipsec peer add address=ipsec-proxy-secondary-geo.axisapps.io disabled=yes exchange-mode=ike2 name=ipsec-proxy-secondary-geo.axisapps.io profile="AxisIPSec"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-ctr,aes-256-gcm lifetime=1d name="Aruba Proposal" pfs-group=modp2048
/ip ipsec identity add generate-policy=port-strict my-id=user-fqdn:user@email.com peer=AxisIPSec_Primary remote-id=user-fqdn:user@email.com
/ip ipsec identity add disabled=yes generate-policy=port-strict my-id=user-fqdn:user@email.com peer=AxisIPSec_Secondary remote-id=user-fqdn:user@email.com
/ip ipsec policy set 0 disabled=yes
/ip ipsec policy add action=none dst-address=10.0.0.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.10.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.16.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.77.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.128.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.177.0/24 src-address=0.0.0.0/0
/ip ipsec policy add dst-address=0.0.0.0/0 level=unique peer=AxisIPSec_Primary proposal=AxisIPSec_Proposal src-address=0.0.0.0/0 tunnel=yes
/ip ipsec policy add disabled=yes dst-address=0.0.0.0/0 level=unique peer=AxisIPSec_Secondary proposal=AxisIPSec_Proposal src-address=0.0.0.0/0 tunnel=yes
This is my firewall config
/ip firewall address-list add address=ipsec-proxy-geo.axisapps.io list="AxisIPSec"
/ip firewall address-list add address=ipsec-proxy-secondary-geo.axisapps.io list="AxisIPSec"
/ip firewall filter add action=accept chain=input comment="Allowed WAN Input on Service Ports" connection-mark="Service Ports" in-interface-list=WAN src-address-list="Allow WAN"
/ip firewall filter add action=accept chain=input src-address-list=AxisIPSec
/ip firewall filter add action=accept chain=forward dst-address-list=AxisIPSec
/ip firewall filter add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall filter add action=accept chain=forward ipsec-policy=in,ipsec
/ip firewall filter add action=drop chain=input comment="Drop all Other WAN Input on Service Ports" connection-mark="Service Ports" in-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Allow Established and Related Connections" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="Drop Invalid Connections" connection-state=invalid
/ip firewall filter add action=accept chain=forward in-interface-list=LAN
/ip firewall mangle add action=log chain=prerouting ipsec-policy=in,ipsec log-prefix=IPSec-IN
/ip firewall mangle add action=log chain=postrouting ipsec-policy=out,ipsec log-prefix=IPSec-OUT
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - FTP" dst-port=21 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - SSH" dst-port=22 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - Telnet" dst-port=23 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - DNS" dst-port=53 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - DNS" dst-port=53 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=udp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - HTTP" dst-port=80 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - IPSec" dst-port=500 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=udp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - OpenVPN" dst-port=1194 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=udp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - OpenVPN" dst-port=1194 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - L2TP" dst-port=1701 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=udp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - PPTP" dst-port=1723 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - IPSec" dst-port=4500 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=udp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - Winbox" dst-port=8291 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - API" dst-port=8728 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - API SSL" dst-port=8729 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall nat add action=accept chain=srcnat ipsec-policy=out,ipsec
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
If there’s any other info that’s needed, please let me know
sindy
October 28, 2024, 11:06am
2
I’ve tried using Mode Configs to specify certain devices to route through this IPSec Tunnel, however when I add a Mode Config to the Identity the Profile never completes Phase2
The purpose of Mode Config is similar to DHCP - the initiator may ask the responder to assign it an IP address and a list of destination subnets for the policies to be created (equivalent to a routing table) and maybe a list of DNS servers, and the responder may provide this information. Your description of the intended use sounds to me as if you expect something different from the mode config than what it is designed for, and the configuration you have posted does not contain any mode-config item so it cannot be used to verify the assumption.
If I use a Group Template, the profile doesn’t connect
Again, no example in the config. A policy template group is used when you generate the policies dynamically from the suggestions received from the other peer, i.e. the policies on the other peer must either be configured manually or it may request information using Mode Config and create its policy suggestions using that information.
When I have the IPSec connected as a standalone profile, the dst-nat rules seem to no longer accept traffic and I can’t access the mikrotik remotely
Yet another time no example of an action=dst-nat rule in the config, but I don’t think it is relevant anyway. The thing is that IPsec policies not only override the results of regular routing but also filter incoming traffic, in the sense that if the traffic selector of an IPsec policy matches an incoming packet that did not come via the IPsec SA linked to that policy, the router silently drops it because that’s what the IPsec RFC says.
You have quite a lot of exception policies, but none of them excludes the traffic to/from the public address of the Mikrotik from getting handled by the 0.0.0.0/0 ↔ 0.0.0.0/0 policy.
timjee
October 28, 2024, 11:24am
3
Thanks Sindy, it seems I manage to add everything except what was needed for the questions and that I have completely misunderstood Mode-Config, but I have also had a response form the provider that they don’t support split tunneling, so it’s everything or nothing
I host a Unifi Controller on-prem for multiple clients, the rules are just below
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to Unifi Controller" dst-port=3478 in-interface-list=WAN protocol=udp to-addresses=192.168.77.222 to-ports=3478
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to Unifi Controller" dst-port=8080 in-interface-list=WAN protocol=tcp to-addresses=192.168.77.222 to-ports=8080
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to Unifi Controller" dst-port=8443 in-interface-list=WAN protocol=tcp to-addresses=192.168.77.222 to-ports=8443
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to Unifi Controller" dst-port=8843 in-interface-list=WAN protocol=tcp to-addresses=192.168.77.222 to-ports=8843
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to Unifi Controller" dst-port=8880 in-interface-list=WAN protocol=tcp to-addresses=192.168.77.222 to-ports=8880
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to Unifi Controller" dst-port=8883 in-interface-list=WAN protocol=tcp to-addresses=192.168.77.222 to-ports=8883
The exceptions are for the multiple LAN ranges, if they aren’t set then I don’t get any breakout from my internal devices
/ip ipsec policy add action=none dst-address=publicip/32 src-address=0.0.0.0/0
to allow the external traffic back into my network
sindy
October 28, 2024, 11:47am
4
There is still some manoeuvring space between split tunneling and 0.0.0.0/0<->0.0.0.0/0, but not knowing what you actually need to tunnel them it is hard to guess whether you can actually use that space. In any case, policy based traffic selection is only useful for simple topologies; for more complicated ones, it is always easier to use IPsec encryption to protect a GRE or IPIP tunnel and use regular routing to decide what to send via the tunnel and what to send directly. But I’ve got no clue whether the Axis Security supports such kind of tunnels.
It may be a misunderstanding again. If the Axis thing expects a policy suggestion from you, you must provide one, which means you must configure the policy statically as you do now, and hence there is no use for Policy Templates on your end.
From what I’m understanding, I should have a Policy like so
/ip ipsec policy add action=none dst-address=publicip/32 src-address=0.0.0.0/0
to allow the external traffic back into my network
Exactly.
timjee
October 28, 2024, 12:34pm
5
I have had a look at GRE and IPIP, but this setup explicitly requires IPSec
I’ll get that IPSec Policy implemented and do more testing this evening, hopefully I don’t break it and have go out in the middle of the night again
I’ve seen a few of your posts, always very detailed and helpful
Thank you for your assistance, I will let you know if I run into any other issues
timjee
October 28, 2024, 3:23pm
6
I made the change, however I still don’t seem to be able to access the dst-nat services
sindy
October 28, 2024, 4:31pm
7
That’s strange. Please post the complete config export, obfuscating the public addresses by replacing their first three bytes using find&replace to prevent losing the consistence of the information. Don’t forget to obfuscate also serial numbers, MAC addresses, and usernames for external services - by default, only passwords are obfuscated in the export (and in RouterOS 6, you have to explicitly add a hide-sensitive parameter to the export command).
timjee
October 29, 2024, 12:21pm
8
Hi Sindy,
This is the full, onfuscated, config
# 2024-10-29 12:36:50 by RouterOS 7.15.3
# software id = LVWM-F0G5
#
# model = RB4011iGS+
# serial number = AABBCCAABBCC
/interface ethernet set [ find default-name=sfp-sfpplus1 ] name=LightStruck
/interface ethernet set [ find default-name=ether1 ] name=ether1-LAN
/interface ethernet set [ find default-name=ether2 ] name=ether2-Technical
/interface ethernet set [ find default-name=ether6 ] name=ether6-OpenServe
/interface pppoe-client add disabled=no interface=ether6-OpenServe name=OpenServe user=user@example.com
/interface vlan add interface=ether1-LAN name=vlan10-Mobile vlan-id=10
/interface vlan add interface=ether1-LAN name=vlan128-Phones vlan-id=128
/interface list add name=WAN
/interface list add name=LAN
/ip ipsec policy group add name=AxisIPSec_Group
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=AxisIPSec_Profile
/ip ipsec peer add address=ipsec-proxy-geo.axisapps.io disabled=yes exchange-mode=ike2 name=AxisIPSec_Primary profile=AxisIPSec_Profile
/ip ipsec peer add address=ipsec-proxy-secondary-geo.axisapps.io disabled=yes exchange-mode=ike2 name=AxisIPSec_Secondary profile=AxisIPSec_Profile
/ip ipsec proposal set [ find default=yes ] disabled=yes
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-ctr,aes-256-gcm lifetime=1d name=AxisIPSec_Proposal pfs-group=modp2048
/ip pool add name=dhcp_pool0 ranges=192.168.77.1-192.168.77.100
/ip pool add name=dhcp_pool1 ranges=192.168.10.1-192.168.10.100
/ip pool add name=dhcp_pool2 ranges=192.168.128.1-192.168.128.100
/ip pool add name=dhcp_pool3 ranges=192.168.177.1-192.168.177.100
/ip pool add name=dhcp_pool4 ranges=10.0.0.1-10.0.0.2
/ip dhcp-server add address-pool=dhcp_pool0 interface=ether1-LAN lease-time=1d name=dhcp1
/ip dhcp-server add address-pool=dhcp_pool1 interface=vlan10-Mobile lease-time=1d name=dhcp2
/ip dhcp-server add address-pool=dhcp_pool2 interface=vlan128-Phones lease-time=1d name=dhcp3
/ip dhcp-server add address-pool=dhcp_pool3 interface=ether2-Technical lease-time=1d name=dhcp4
/ip dhcp-server add address-pool=dhcp_pool4 interface=ether3 lease-time=1d name=dhcp5
/port set 0 name=serial0
/port set 1 name=serial1
/ppp profile set *0 only-one=no
/queue tree add burst-limit=400M burst-threshold=400M burst-time=3s limit-at=400M max-limit=400M name="All Bandwidth" parent=global
/queue tree add burst-limit=200M burst-threshold=200M burst-time=3s limit-at=200M max-limit=200M name=Download packet-mark=Download parent="All Bandwidth" priority=1
/queue tree add burst-limit=200M burst-threshold=200M burst-time=3s limit-at=200M max-limit=200M name=Upload packet-mark=Upload parent="All Bandwidth" priority=1
/queue tree add burst-limit=20M burst-threshold=20M burst-time=3s limit-at=5M max-limit=20M name=Download_Other packet-mark=Download_Other parent=Download
/queue tree add burst-limit=2M burst-threshold=2M burst-time=3s limit-at=2M max-limit=2M name=Download_Phones packet-mark=Download_Phones parent=Download priority=1
/queue tree add burst-limit=200M burst-threshold=200M burst-time=3s limit-at=172M max-limit=200M name=Download_Main packet-mark=Download_Main parent=Download priority=2
/queue tree add burst-limit=50M burst-threshold=50M burst-time=3s limit-at=20M max-limit=50M name=Download_Mobile packet-mark=Download_Mobile parent=Download priority=6
/queue tree add burst-limit=200M burst-threshold=200M burst-time=3s limit-at=172M max-limit=200M name=Upload_Main packet-mark=Upload_Main parent=Upload priority=2
/queue tree add burst-limit=50M burst-threshold=50M burst-time=3s limit-at=20M max-limit=50M name=Upload_Mobile packet-mark=Upload_Mobile parent=Upload priority=6
/queue tree add burst-limit=2M burst-threshold=2M burst-time=3s limit-at=2M max-limit=2M name=Upload_Phones packet-mark=Upload_Phones parent=Upload priority=1
/queue tree add burst-limit=20M burst-threshold=20M burst-time=3s limit-at=5M max-limit=20M name=Upload_Other packet-mark=Upload_Other parent=Upload
/queue tree add burst-limit=10M burst-threshold=10M burst-time=3s limit-at=1M max-limit=10M name=Upload_Rec packet-mark=Upload_Rec parent=Upload priority=5
/queue tree add burst-limit=10M burst-threshold=10M burst-time=3s limit-at=1M max-limit=10M name=Download_Rec packet-mark=Download_Rec parent=Download priority=5
/interface list member add interface=LightStruck list=WAN
/interface list member add interface=OpenServe list=WAN
/interface list member add interface=ether1-LAN list=LAN
/interface list member add interface=vlan10-Mobile list=LAN
/interface list member add interface=vlan128-Phones list=LAN
/interface list member add interface=ether2-Technical list=LAN
/interface list member add interface=ether3 list=LAN
/ip address add address=192.168.77.254/24 interface=ether1-LAN network=192.168.77.0
/ip address add address=192.168.10.254/24 interface=vlan10-Mobile network=192.168.10.0
/ip address add address=192.168.128.254/24 interface=vlan128-Phones network=192.168.128.0
/ip address add address=192.168.16.254/24 interface=LightStruck network=192.168.16.0
/ip address add address=192.168.177.254/24 interface=ether2-Technical network=192.168.177.0
/ip address add address=10.0.0.254/24 interface=ether3 network=10.0.0.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add add-default-route=no interface=LightStruck
/ip dhcp-server network add address=10.0.0.0/24 dns-server=10.0.0.254 gateway=10.0.0.254
/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.10.254 gateway=192.168.10.254
/ip dhcp-server network add address=192.168.77.0/24 dns-server=192.168.77.251 domain=domain.com gateway=192.168.77.254
/ip dhcp-server network add address=192.168.128.0/24 dns-server=192.168.128.254 gateway=192.168.128.254
/ip dhcp-server network add address=192.168.177.0/24 gateway=192.168.177.254
/ip dns set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list add address=208.70.88.4 list="N-Able Support"
/ip firewall address-list add address=62.253.153.163 list="N-Able Support"
/ip firewall address-list add address=212.187.250.0/28 list="N-Able Support"
/ip firewall address-list add address=ipsec-proxy-geo.axisapps.io list=AxisIPSec
/ip firewall address-list add address=ipsec-proxy-secondary-geo.axisapps.io list=AxisIPSec
/ip firewall address-list add address=192.168.77.69 list="Test AxisIPSec"
/ip firewall address-list add address=192.67.147.100 list="Allow WAN"
/ip firewall filter add action=accept chain=forward comment="Test rules to allow freepbx test server" src-address=192.168.77.98
/ip firewall filter add action=accept chain=forward dst-address=192.168.77.98
/ip firewall filter add action=accept chain=input dst-address=192.168.77.98
/ip firewall filter add action=accept chain=input comment="Allowed WAN Input on Service Ports" connection-mark="Service Ports" in-interface-list=WAN src-address-list="Allow WAN"
/ip firewall filter add action=accept chain=input comment="Allowed N-Able WAN Input on SSH" disabled=yes dst-port=22 in-interface-list=WAN protocol=tcp src-address-list="N-Able Support"
/ip firewall filter add action=accept chain=input src-address-list=AxisIPSec
/ip firewall filter add action=accept chain=forward dst-address-list=AxisIPSec
/ip firewall filter add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall filter add action=accept chain=forward ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=input comment="Alolow ICMP" in-interface-list=WAN protocol=icmp
/ip firewall filter add action=drop chain=input comment="Drop all Other WAN Input on Service Ports" connection-mark="Service Ports" in-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Allow Established and Related Connections" connection-state=established,related
/ip firewall filter add action=drop chain=forward comment="Drop Invalid Connections" connection-state=invalid
/ip firewall filter add action=accept chain=forward in-interface-list=LAN
/ip firewall mangle add action=log chain=prerouting ipsec-policy=in,ipsec log-prefix=IPSec-IN
/ip firewall mangle add action=log chain=postrouting ipsec-policy=out,ipsec log-prefix=IPSec-OUT
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - FTP" dst-port=21 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - SSH" dst-port=22 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - Telnet" dst-port=23 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - DNS" dst-port=53 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - DNS" dst-port=53 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=udp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - HTTP" dst-port=80 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - IPSec" dst-port=500 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=udp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - OpenVPN" dst-port=1194 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=udp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - OpenVPN" dst-port=1194 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - L2TP" dst-port=1701 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=udp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - PPTP" dst-port=1723 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - IPSec" dst-port=4500 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=udp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - Winbox" dst-port=8291 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - API" dst-port=8728 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=input comment="Mark Connections - API SSL" dst-port=8729 in-interface-list=WAN new-connection-mark="Service Ports" passthrough=yes protocol=tcp
/ip firewall mangle add action=mark-connection chain=postrouting comment="Mark Connections - All Download" new-connection-mark=Download out-interface-list=LAN passthrough=yes
/ip firewall mangle add action=mark-connection chain=prerouting comment="Mark Connections - All Upload" in-interface-list=LAN new-connection-mark=Upload passthrough=yes
/ip firewall mangle add action=mark-packet chain=postrouting comment="Mark Packets - All Download" connection-mark=Download new-packet-mark=Download passthrough=yes
/ip firewall mangle add action=mark-packet chain=prerouting comment="Mark Packets - All Upload" connection-mark=Upload new-packet-mark=Upload passthrough=yes
/ip firewall mangle add action=mark-packet chain=postrouting comment="Mark Main LAN Download - Rec" dst-address=192.168.77.38 new-packet-mark=Download_Rec out-interface=ether1-LAN packet-mark=Download passthrough=yes
/ip firewall mangle add action=mark-packet chain=postrouting comment="Mark Main LAN Download" new-packet-mark=Download_Main out-interface=ether1-LAN packet-mark=Download passthrough=yes
/ip firewall mangle add action=mark-packet chain=postrouting comment="Mark Technical LAN Download" new-packet-mark=Download_Technical out-interface=ether2-Technical packet-mark=Download passthrough=yes
/ip firewall mangle add action=mark-packet chain=postrouting comment="Mark Phones Download" new-packet-mark=Download_Phones out-interface=vlan128-Phones packet-mark=Download passthrough=yes
/ip firewall mangle add action=mark-packet chain=postrouting comment="Mark Phones Download" new-packet-mark=Download_Mobile out-interface=vlan10-Mobile packet-mark=Download passthrough=yes
/ip firewall mangle add action=mark-packet chain=postrouting comment="Mark Other Download" new-packet-mark=Download_Other packet-mark=Download passthrough=yes
/ip firewall mangle add action=mark-packet chain=prerouting comment="Mark Main LAN Upload - Rec" in-interface=ether1-LAN new-packet-mark=Upload_Rec packet-mark=Upload passthrough=yes src-address=192.168.77.38
/ip firewall mangle add action=mark-packet chain=prerouting comment="Mark Main LAN Upload" in-interface=ether1-LAN new-packet-mark=Upload_Main packet-mark=Upload passthrough=yes
/ip firewall mangle add action=mark-packet chain=prerouting comment="Mark Technical LAN Upload" in-interface=ether2-Technical new-packet-mark=Upload_Technical packet-mark=Upload passthrough=yes
/ip firewall mangle add action=mark-packet chain=prerouting comment="Mark Phones Upload" in-interface=vlan128-Phones new-packet-mark=Upload_Phones packet-mark=Upload passthrough=yes
/ip firewall mangle add action=mark-packet chain=prerouting comment="Mark Mobile Upload" in-interface=vlan10-Mobile new-packet-mark=Upload_Mobile packet-mark=Upload passthrough=yes
/ip firewall mangle add action=mark-packet chain=prerouting comment="Mark Other Upload" new-packet-mark=Upload_Other packet-mark=Upload passthrough=yes
/ip firewall nat add action=accept chain=srcnat ipsec-policy=out,ipsec
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat disabled=yes
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to Unifi Controller" dst-port=3478 in-interface-list=WAN protocol=udp to-addresses=192.168.77.222 to-ports=3478
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to Unifi Controller" dst-port=8080 in-interface-list=WAN protocol=tcp to-addresses=192.168.77.222 to-ports=8080
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to Unifi Controller" dst-port=8443 in-interface-list=WAN protocol=tcp to-addresses=192.168.77.222 to-ports=8443
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to Unifi Controller" dst-port=8843 in-interface-list=WAN protocol=tcp to-addresses=192.168.77.222 to-ports=8843
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to Unifi Controller" dst-port=8880 in-interface-list=WAN protocol=tcp to-addresses=192.168.77.222 to-ports=8880
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to Unifi Controller" dst-port=8883 in-interface-list=WAN protocol=tcp to-addresses=192.168.77.222 to-ports=8883
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to N-Central" dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.77.252 to-ports=443
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to N-Central" dst-port=5280 in-interface-list=WAN protocol=tcp to-addresses=192.168.77.252 to-ports=5280
/ip firewall nat add action=dst-nat chain=dstnat comment="DNAT to N-Central - N-Able Support" disabled=yes dst-port=22 in-interface-list=WAN protocol=tcp src-address-list="N-Able Support" to-addresses=192.168.77.252 to-ports=22
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip ipsec identity add generate-policy=port-strict my-id=user-fqdn:user@mail.com peer=AxisIPSec_Primary policy-template-group=AxisIPSec_Group remote-id=user-fqdn:user@mail.com
/ip ipsec identity add generate-policy=port-strict my-id=user-fqdn:user@mail.com peer=AxisIPSec_Secondary policy-template-group=AxisIPSec_Group remote-id=user-fqdn:user@mail.com
/ip ipsec policy set 0 disabled=yes
/ip ipsec policy add action=none dst-address=10.0.0.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.10.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.16.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.77.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.128.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.177.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=xxx.xxx.xxx.147/32 src-address=0.0.0.0/0
/ip ipsec policy add disabled=yes dst-address=0.0.0.0/0 level=unique peer=AxisIPSec_Primary proposal=AxisIPSec_Proposal src-address=0.0.0.0/0 tunnel=yes
/ip ipsec policy add disabled=yes dst-address=0.0.0.0/0 level=unique peer=AxisIPSec_Secondary proposal=AxisIPSec_Proposal src-address=0.0.0.0/0 tunnel=yes
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=OpenServe routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.6.254 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/system clock set time-zone-name=Indian/Mauritius
/system identity set name=ScottNET
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=196.4.160.4
/tool bandwidth-server set enabled=no
/tool graphing interface add
/tool graphing queue add
/tool graphing resource add
sindy
October 29, 2024, 1:07pm
9
Sorry, I have missed that the dst-address and src-address of the added action=none policy for the public IP were swapped. 0.0.0.0/0 must be dst-address and xxx.xxx.xxx.147/32 must be src-address .
timjee
October 29, 2024, 1:42pm
10
I tried that yesterday and the internet dropped
sindy
October 29, 2024, 1:48pm
11
That makes no sense to me action=none just prevents any subsequent policy from picking the packet, so connections that do not need IPsec should not be affected. Maybe I have misunderstood something in your requirements? Or maybe you had dst-address and src-address right but the action was the default encrypt by mistake?
timjee
October 29, 2024, 1:58pm
12
I’ll have to give it an hour for the office to close and I can test again, but I copied the one with dst-address being the public ip and swopped the src and dst around, it was below the policy with public IP as dst-address, but above the policy of 0.0.0.0/0 0.0.0.0/0
sindy
October 29, 2024, 2:08pm
13
Please do, although the way you describe it, you did it correctly.
Other than that, do you intend to use the Axis tunnel to connect to the whole internet or “only” to a bunch of subnets on their end? And will initiators/clients on the remote end of the tunnel connect to responders/servers in your LAN? The reason to ask is that IKEv2 allows the traffic selectors to be negotiated, so instead of 0.0.0.0/0<->0.0.0.0/0, you could use a traffic selector with a single subnet or even a single address on your side together with a src-nat rule to simplify the setup, and the remote party should accept such a restricted selector.
timjee
October 29, 2024, 2:29pm
14
Axis Security provides an SSE platform, the aim of the tunnels is to filter all outbound traffic through this tunnel
I’ve arranged to do the tests shortly and will confirm the results
timjee
October 29, 2024, 3:12pm
15
The config was good and it works
I’ll leave this running for a while to confirm all is in order, but I believe we are good
To confirm, below is the new Policy configurations
/ip ipsec policy add action=none dst-address=10.0.0.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.10.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.16.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.77.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.128.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=192.168.177.0/24 src-address=0.0.0.0/0
/ip ipsec policy add action=none dst-address=0.0.0.0/0 src-address=xxx.xxx.xxx.147/32
/ip ipsec policy add dst-address=0.0.0.0/0 level=unique peer=AxisIPSec_Primary proposal=AxisIPSec_Proposal src-address=0.0.0.0/0 tunnel=yes
/ip ipsec policy add disabled=yes dst-address=0.0.0.0/0 level=unique peer=AxisIPSec_Secondary proposal=AxisIPSec_Proposal src-address=0.0.0.0/0 tunnel=yes
Now to figure out how I can script the enabling of the secondary AxisIPSec tunnel should the Primary go down, but that’s off topic and if I run into issues I can open a new post
Thank you for the assistance, sindy, it has been much appreciated
sindy
October 29, 2024, 3:20pm
16
You can put a list of two peers to a policy. If you do that, you only need scripting if you want to make sure that the traffic returns to the primary peer once it recovers. But I agree that a separate topic is a better place to discuss that should it prove necessary.
A policy with action=none just prevents any subsequent policy from picking the packet, so connections that do not need IPsec should not be affected. Maybe I have misunderstood something in your requirements? Or maybe you had dst-address and src-address right but the action was the default encrypt by mistake?