IPSec

istj · February 9, 2017, 2:42pm

I have 2 offices. I combined them through a tunnel ipsec.
Mikrotik1 with WAN, LAN interfaces and Router2 with RWAN, RLAN interfaces
On Mikrotik1 I left firewall rule “defconf: drop all from WAN” Drop__input__in-interface WAN (at the bottom)

Tell me what are the firewall rules I should write to have access from remote IPSEC network to my lan (RLAN-> LAN)

I have some access if I write
input__Src.Addr:RWAN
forward__Src.Addr:RLAN
input__Src.Addr:RLAN__In.Interface:WAN

But I’m not shure that it is correct. And it seems this is not enough

andriys · February 9, 2017, 3:42pm

You have to allow inner-tunnel and out-tunnel traffic separately. I hope you have no problem with inner-tunnel rules. As to the outer-tunnel you will need to allow 500/UDP and ESP (IP protocol 50) from your peer on the input chain.

andriys · February 9, 2017, 3:44pm

Also have a look at the ipsec-policy firewall matcher- it might make your inner-tunnel firewall rules cleaner. Check this wiki page out for details.

istj · February 10, 2017, 3:32pm

I allowd IKE, IPSec-esp, IPSec-AH.
But I still have problems with inner-tunnel rules

Maybe I should write
add chain=input comment=“ipsec policy matcher” in-interface=WAN
ipsec-policy=in,ipsec
add action=drop chain=input comment=“drop all” in-interface=WAN log=yes

andriys · February 10, 2017, 3:53pm

Your inner-tunnel rules should probably go to chain=forward (I’m not sure you need them in chain=input at all).