Packet Mark no longer retained after decrypting IPSec in v6?

dog · January 7, 2016, 9:43am

Hi,

I’ve had a RB450 running RouterOS 5.26 which I now had to replace with a newer model.
On v5 I had a mangle rule like this:

add action=mark-packet chain=prerouting dst-address-type=local dst-port=4500 log-prefix=MARK new-packet-mark=ipsec-input passthrough=no protocol=udp

I could then use that to match the packets after IPSec decryption:

add action=mark-connection chain=prerouting connection-mark=!ipsec-l2tp dst-port=1701 new-connection-mark=ipsec-l2tp packet-mark=ipsec-input protocol=udp

However it seems that v6.33.3 drops the packet mark after decryption (the second rule never matches).
So how can this be achieved now?`

Regards

Max

ZeroByte · January 7, 2016, 3:55pm

This actually sounds like correct behavior to me because technically, the inner encapsulated packet is not the same packet as the tunnel packet it arrived in. If you follow the new packet flow diagram for v6, then you’ll see that a loop happens whenever decapsulation occurs and then the inner packet is handled as if it had just arrived at the router natively.

I think you’re going to need to start marking based on the remote source IP or something similar.

dog · January 18, 2016, 10:15pm

So, while I can no longer get the packet marking to work like in v5 there now seems to be a native replacement:

/ip firewall filter> add ipsec-policy=

IpsecPolicy ::= Direction,Policy
  Direction ::= in | out
  Policy ::= ipsec | none

Setting it to “in,ipsec” will only match packets that were decrypted from IPSec.

ZeroByte · January 18, 2016, 10:24pm

Definitely looks very nice and tidy.