Is a packet flow diagram are actual?

buddie02 · February 18, 2020, 2:15pm

Lets look at https://wiki.mikrotik.com/wiki/Manual%3APacket_Flow:

The path of ‘output’ packet are:

postrouting
-- src-nat
ipsec encryption

I’m make a lab: the IPSec transport mode, IPSec policy and L2TP client.
Just add a simple passthrough rules:

/ip firewall nat
add action=passthrough chain=srcnat log=yes log-prefix="SRC-NAT for OUTPUT connection" port=1701 protocol=udp to-addresses=192.0.2.1
add action=passthrough chain=srcnat ipsec-policy=out,ipsec log=yes log-prefix="SRC-NAT for OUTPUT connection with IPSec OUT on" port=1701 protocol=udp to-addresses=192.0.2.1
add action=passthrough chain=srcnat ipsec-policy=out,none log=yes log-prefix="SRC-NAT for OUTPUT connection with IPSec OUT off" port=1701 protocol=udp to-addresses=192.0.2.1

Make L2TP client UP and what? Only first rule and second are fire!

I.e. “SRC-NAT” block in “Postouting” for “Output” unencrypted packet are not worked?

CCR1016-12G
v6.46.1

Sob · February 18, 2020, 3:12pm

If you have IPSec policy for destination (either automatic from L2TP client or manual), then last rule can’t log anything, because ipsec-policy=out,none won’t match any packets. If would match if you’d have L2TP client connecting to address for which no IPSec policy exists.