ipsec multiple users

nevolex · September 7, 2021, 10:02pm

HI everyone,

I am using certificates to authenticate users: they belong to the same pool, same porfiles, peer etc

/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp3072,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=IKEv2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=vpn_server generate-policy=port-strict mode-config=IKEv2-cfg peer=IKEv2-peer
policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes

users will get an ip lease from 10.88.0.0/24 VPn pool and have access to my local networks 10.10.0.0 /24 and 10.20.0.0 /24

I have created an additional user (a certificate for her) and would like to restrict access to 10.20.0.0 /24 network only

I just could figure out how can i differentiate that user in the ip sec config so she can only access 10.20.0.0 /24, do I need an additional vpn pool, what else is requered?

thanks a lot

sindy · September 8, 2021, 6:00am

You need a dedicated identity for that user, referring to their individual certificate as remote-certificate, with match-by set to certificate and mode-config set to a mode-config row dedicated for that user, which in turn refers to a dedicated pool (or an individual IP address). Because, as you’ve already found out, the only attribute of a user you can make the firewall rules refer to is that user’s IP address, which is assigned by means of mode-config.

Instead of using firewall rules to control where that user can get, you can also set a dedicated split-include list on that mode-config row, but depending on what operating system that user’s IPsec stack is running, it may not be secure enough - with a Windows initiator, the policy is always negotiated with 0.0.0.0/0 at Mikrotik side, and the split-include list is translated into a list of routes delivered to the client via DHCPINFORM, so the user can manually add other routes and the policy will accept such traffic.

nevolex · September 8, 2021, 1:11pm

You need a dedicated identity for that user, referring to their individual certificate as remote-certificate, with match-by set to certificate and mode-config set to a mode-config row dedicated for that user, which in turn refers to a dedicated pool (or an individual IP address). Because, as you’ve already found out, the only attribute of a user you can make the firewall rules refer to is that user’s IP address, which is assigned by means of mode-config.

Instead of using firewall rules to control where that user can get, you can also set a dedicated split-include list on that mode-config row, but depending on what operating system that user’s IPsec stack is running, it may not be secure enough - with a Windows initiator, the policy is always negotiated with 0.0.0.0/0 at Mikrotik side, and the split-include list is translated into a list of routes delivered to the client via DHCPINFORM, so the user can manually add other routes and the policy will accept such traffic.

Thank you Sindy