Route specific traffic through IPsec connection

RouterOS Beginner Basics
1

Good morning

I want to use my small Mikrotik router for forwarding specific prefixes through an IPsec connection to replace my VPN client on my PC.

Was able to have the router connect to the vpn ipsec server…but I guess some special firewall rule needs to be in place to forward traffic through it?
Is there an example setup how to achieve this?

That would make my life much easier as I work few days from home with several machines connected who need access to the office network.


thanks in advance
richard

2

I’m in the process of making a similar setup right now.
In your case I think you need to mark connections:

chain=prerouting action=mark-connection new-connection-mark=ipsec passthrough=yes connection-state=new dst-address-list=<your_prefix_list> connection-mark=no-mark in-interface-list=lans log=no log-prefix=""

Then you need to modify your mode-config, set

connection-mark=ipsec

and set

src-address-list

to your local addresses.

It will generate a dynamic rule in srcnat chain.

I was following this manual:
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication

But they are not using connection marks there, only IP address matching.

3

Hmm…no luck so far…

I see that the NAT rule is dynamically generated with to-address=192.168.43.11, which is the dynamic address handed out by the vpn server…
Can ping this address…but nothing else responds…besides..I don’t see the “new-connection-mark” in the firewall rule section…

Maybe I got the destination address prefix wrong in the ipsec policy setup?
Do I need to set it the the dynamic pool?

4

new-connection-mark is the action for this rule, last tab in Winbox.
This rule will set a new connection mark if other conditions match.
It’s in /ip firewall mangle, chain prerouting.
It’s important, srcnat will later match this connection mark, otherwise srcnat will not trigger.

But I’m still in the process of playing with my own setup, I might miss something here.

In my policy template I have dst-address set to ::/0, it works fine.

5

Your firewall filter just can’t be added as some commands are not recognized, like action=mark-connection and new-connection-mark=xxx.

This is with RouterOS 6.45.6…

6

Are you sure it’s mangle table, prerouting chain?
Ok, let’s see, what actions are available to you?

7

Okay…found it in the GUI…just didn’t worked in CLI as it asked me for “numbers:” in the end…

Does now forward normal traffic through WAN…but those prefixes destined for ipsec are still stuck…

Maybe my freeswan setup misses something…but then again I can connect through the vpn server just fine with macOS and iOS and traffic is relayed through it…

The router gets a dynamic IP, but this isn’t visible/pingable from the vpn server…guess pinging misses a firewall rule then..

8

I’ll show what I came up with today, maybe it can serve you as a reference.
Finally it works as intended.
If your connection is still stuck, try inspecting packet flow in RouterOS with Packet Sniffer tool and on LibreSwan side with tcpdump.

I have my LAN with Mikrotik box here, and on remote I have a Linux VPS.
All traffic generated by chosen apps in LAN (just Firefox for now) are assigned a DSCP value of 42 in IP header on my computers (I use cgroups for that). Those connections are forwarded into IPsec tunnel by the router.
Also, all traffic from guest Wi-Fi network also goes into the tunnel.

Remote side assigns IP address 192.168.5.57 to my router for the tunnel endpoint.

My policies:

[rondo@runesave] /ip firewall address-list> /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #     PEER TUN SRC-ADDRESS                                    DST-ADDRESS                                    PROTOCOL   ACTION  LEVEL  
 0 T *          ::/0                                           ::/0                                           all       
 1              192.168.5.56/29                                192.168.0.0/16                                 all        none   
 2 T            ::/0                                           ::/0                                           all       
 3  DA  ik.. yes 192.168.5.57/32                                0.0.0.0/0                                      all        encrypt unique

Policy #2 (template) is the main one. With this template policy #3 is generated, saying that everything with source IP of 192.168.5.57 (tunnel endpoint) should be encrypted and sent over the tunnel.
Policy #1 I came up with was the hard part. It says that ICMP “fragmentation needed” messasges, used in normal TCP data flow, generated locally on router, also with source IP of 192.168.5.57 and destined for LAN should not be encrypted and go into the tunnel! They should go directly to LAN, thus the action is “none” (leave them alone)
Before I added this policy, things worked, but on many websites some of their resources were broken.

Mangle table

[rondo@runesave] /ip firewall address-list> /ip firewall mangle print 
Flags: X - disabled, I - invalid, D - dynamic 
<...>
5    ;;; detect magic DSCP
      chain=prerouting action=mark-connection new-connection-mark=ipsec passthrough=yes connection-state=new 
      dst-address-list=!direct_route connection-mark=no-mark in-interface-list=lans dscp=42 log=no log-prefix="" 

 6    chain=prerouting action=change-dscp new-dscp=0 passthrough=no in-interface-list=lans dscp=42 log=no log-prefix="" 

 7    ;;; guest Wi-Fi
      chain=prerouting action=mark-connection new-connection-mark=ipsec passthrough=yes connection-state=new src-address=!192.168.4.7 
      dst-address=!192.168.0.0/16 dst-address-list=!direct_route connection-mark=no-mark in-interface=vlan_wifi_guest log=no 
      log-prefix=""

dynamic srcnat rule generated by IPsec subsystem:

/ip firewall address-list> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=192.168.5.57 src-address-list=local dst-address-list=!local connection-mark=ipsec
9

Okay…so for the ipsec connection you have just the policy template nbr. 2 as nbr. 3 is dynamically generated?

So the 192.168.5.56/29 is the remote VPS pool and 192.168/16 is your local LAN, right?

I could add the template policy, but have no clue how it will generate the 3rd policy for the actual ipsec tunnel…

10

Okay…so far I got:

[admin@MikroTik] /ip firewall mangle> /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #     PEER   TUNNEL SRC-ADDRESS                                   DST-ADDRESS                                   PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T *               ::/0                                          ::/0                                          all       
 1                   192.168.43.0/24                               192.168.88.0/24                               all        none   
 2 T                 ::/0                                          ::/0                                          all

Where 192.168.43.0/24 is the remote vpn server pool and 192.168.88.0/24 is the local LAN.

The connection also comes up without problems:

[admin@MikroTik] /ip firewall mangle> /ip ipsec active-peers print
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS                                      DYNAMIC-ADDRESS           
 0  N                      established        1m23s                     xxx.yyyy.zzz.81                                      192.168.43.14

But I don’t see any dynamic policy being generated…should this policy be generated when traffic flows towards destinations matching the marked ipsec chain?

11

Bugger…

Missed to set “generate policy” in the identity settings (o;

Now it looks:

[admin@MikroTik] /ip firewall mangle> /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #     PEER   TUNNEL SRC-ADDRESS                                   DST-ADDRESS                                   PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T *               ::/0                                          ::/0                                          all       
 1  DA  vpn... yes    192.168.43.14/32                              0.0.0.0/0                                     all        encrypt unique           1
 2                   192.168.43.0/24                               192.168.88.0/24                               all        none   
 3 T                 ::/0                                          ::/0                                          all

and I can traceroute and see it takes now the vpn server route…

Bow I can also try to add another entry for routing traffic to the office and therefore get rid of the stupid FortiClient (o;


BTW: for the address list I can just add as many prefixes I like under the same name, right?

12

Just testing performance…

Extreme poor performance…takes ages to load a website..especially when its https…

When switching to macOS VPN client all is fine…

Guess something related to MTU over the tunnel?

13

Yes, it’s MTU. I had this exact effect, too.
Move the “none” policy upper in you list, so it has more priority than “encrypt” policy.