Community discussions

MUM Europe 2020
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Nov 25, 2015 9:54 pm

IPSec Site to Site Firewall

Mon May 29, 2017 4:10 pm

Hi there!
I try to find out how it would be possible to attach Firewall rules between the ipsec site to site tunnel.

My goal is to close this tunnel and only allow 1 tcp protokoll on port 3002 and icmp.

So my question is, how is the right way for that?

Do i need to setup the rules on the outgoing ports on the router? Or is it possible to enable this rules before, so that i prevent any connection.

Thanks for your help!
 
idlemind
Forum Guru
Forum Guru
Posts: 1108
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: IPSec Site to Site Firewall

Mon May 29, 2017 7:03 pm

Create a policy to identify the traffic to be encrypted. It may be multiple policies in RouterOS. In Cisco land you can define "interesting traffic" in an ACL. If it can only be done with policies you'll get multiple matches.

An alternative approach would be a site to site GRE tunnel wrapped in IPSec. You could target an ACL to that persistently. I'm not sure about the dynamic L2TP interface. You may be able to target that in an ACL as well though.
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Nov 25, 2015 9:54 pm

Re: IPSec Site to Site Firewall

Tue May 30, 2017 5:34 pm

Thanks for answer,
can you give me a little input how to configure this?
Or there are any templates how to do that?

Thanks
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Nov 25, 2015 9:54 pm

Re: IPSec Site to Site Firewall

Thu Jun 22, 2017 5:59 pm

Nobody got a idea for help?
GRE Tunnel or L2TP is no opinion.
Because my Road Warriors didnt Support that.
Would it be possible with a Loop from outgoing Port 6 to Port 7 and Firewall unencrypted between Port 7 and 8?

Or is this a stupid idea?
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Nov 25, 2015 9:54 pm

Re: IPSec Site to Site Firewall

Sun Jun 25, 2017 2:25 pm

No Comment?
Also not to my last idea with routing the encrypted ipsec traffic trough 2 Port?
 
idlemind
Forum Guru
Forum Guru
Posts: 1108
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: IPSec Site to Site Firewall

Sun Jun 25, 2017 2:42 pm

Your road warriors will get a dynamic L2TP interface when they connect. Unless you're using PPTP or SSTP. Also road warrior <> site to site like your post reads.

Last, you should be able to define multiple policies to map your interesting traffic appropriately even for road warriors. There is a section in the wiki on how to use mode conf with groups of policies to express your interesting traffic. Additionally you can definitely split tunnel rules if you need too.

Read the IP/IPSec wiki, it has a ton of examples and configuration ideas.
 
almdandi
newbie
Posts: 40
Joined: Sun May 03, 2015 5:22 pm

Re: IPSec Site to Site Firewall

Sun Jun 25, 2017 3:17 pm

I'm a little bit confused what you want to do. IPSec Site 2 Site, Road Worear VPN.That's two different things. Maybe you can give us a look at our ipsec configuration. That would be very helpful

But if i get you corrent from your first post. The traffic form your second site will appear on the WAN interface at site 1 like normal traffic, after the encryption process. The a look at this diagram.

https://wiki.mikrotik.com/wiki/Manual:P ... decryption

So just make a normal forward rule that accepts all your allowed traffic. And you should set ipsec-policy=in,ipsec on that rule, so it maches only traffic from a ipsec tunnel.
After your accept rules add a drop rule to drop the rest.
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Nov 25, 2015 9:54 pm

Re: IPSec Site to Site Firewall

Sun Jun 25, 2017 4:00 pm

Hello!
Thanks for answer.
The Problem is i can't do a Ipsec/L2TP setup. The only way i can go is site-to-site.

To understand what i got:

computer(172.10.20.2)--------3G/UMTS-Modem(172.10.20.1)-------- IPSEC-------Mikrotik(172.10.0.1)------server(172.10.0.2)

The problem is, that the modem outside only can do ipsec site-to-site or openvpn. So i used ipsec. Everythink works fine. But now i would prefer to close not used ports to secure up the tunnel.
As already descriped the ipsec tunnel is not a interface on the mikrotik router. But i still searching for a way to limit ports trough the tunnel to the server(172.10.0.2).

An idea is to set the rules outgoing on the connector port from the router or is that insecure?

Just for info, that only one shematic diagramm to this router currently 35 setups like this connectet.
thanks for your help!
 
idlemind
Forum Guru
Forum Guru
Posts: 1108
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: IPSec Site to Site Firewall

Sun Jun 25, 2017 4:43 pm

Step 1: Read the MikroTik Wiki article on IP / IPSec.
Step 2: Implement IPSec policies.
Step 3: Tell us all that you have it figured.

Example policy I use to encrypt an IPv6 GRE tunnel:

/ip ipsec policy add comment="xxx-vpn1 v6" dst-address=2001::2/128 proposal=SiteToSiteVpn1 protocol=gre src-address=2605::953a/128

The traffic that you want to encrypt is defined by src-address, dst-address, src-port, dst-port and protocol values. Additionally you can define other actions than encrypt but that is getting more complex. A good read of the Wiki will help you out.
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Nov 25, 2015 9:54 pm

Re: IPSec Site to Site Firewall

Sun Jun 25, 2017 5:52 pm

Thanks for your instruction,
so if i am right, i can handly that with the policies? Just read the wiki as descriped.

So if i change the policiy that only tcp traffic from port 3002 is allowed that should do the trick? Any other traffic will be blocked because not encrypted?
Or im still wrong?

But just for information, i can't configure any policiy rules on the modem, so hofully it's enough if i do this in the MK?

Thanks
 
idlemind
Forum Guru
Forum Guru
Posts: 1108
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: IPSec Site to Site Firewall

Sun Jun 25, 2017 6:38 pm

But just for information, i can't configure any policiy rules on the modem, so hofully it's enough if i do this in the MK?Thanks
Some platforms require the policy to match, Cisco does this. I'm not sure about your modem. It's best practice to match security on both sides.

Alternatively, allow all traffic through the tunnel and restrict it inbound to the MikroTik back to the VPN client. The interfaces and IP addresses would be persistent and it would be a reliably point in the network to apply an ACL. The policy is far more ideal from a CPU and bandwidth perspective.

TLDR; try the policy first. If the IPSec connection has trouble establishing then revert to allowing the whole connection and restricting by a normal forward ACL with the inbound interface selected to match traffic coming from the server to the client.
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Nov 25, 2015 9:54 pm

Re: IPSec Site to Site Firewall

Mon Jun 26, 2017 11:47 pm

Just one information, as far as i know in the policy i can only specify one protokol or one port. Or i am wrong with my information.
I will see tomorow and try that out.

Just for information, the cpu load and the bandwich are just idling arround, because we got traffic in 1-5kb ranges and about 1000packets/hour.
So what i would say, really really small traffic over the tunnel.
 
idlemind
Forum Guru
Forum Guru
Posts: 1108
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: IPSec Site to Site Firewall

Tue Jun 27, 2017 12:12 am

Each policy builds an SA pair I believe. So you can define multiple policies and you'll get an SA pair to match each one when traffic hits the policy to trigger the need for encryption.

I may be a bit wrong.
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Nov 25, 2015 9:54 pm

Re: IPSec Site to Site Firewall

Thu Jun 29, 2017 5:58 pm

Hi
i tried your idea with the two policys but it didn't work, if i disable each the other one start working. So i would say my UMTS-Router didn't support that.

The second way with blocking the bridge (where the local ports connected) also won't work :(

I tried to add a rule with drop any but it doesn't drop anything.

Any ideas?
 
idlemind
Forum Guru
Forum Guru
Posts: 1108
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: IPSec Site to Site Firewall

Thu Jun 29, 2017 7:32 pm

Should work. If the ACL is being applied via the MikroTik with ip firewall filter just make sure you're taking how the traffic flows into account. For example if all the traffic for this server to the VPN client comes in ether2 use forward with in-interface of ether2 along with your other qualifiers.
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Wed Nov 25, 2015 9:54 pm

Re: IPSec Site to Site Firewall

Thu Jun 29, 2017 9:31 pm

I got it working!
The way how it was done is:

I setup 3 forwarding rules with Destination the local subnet where the ipsec Traffic terminates.
And there i Drop all expect icmp and the specified tcp Port.

To Made that more sensitiv i setup a whitelist which include the allowed clients.

On the Client side i made tests with nmap and it seems that no other ports in the serverside are reachable.

See that in the log from the Drop rule.

So i hope thats the right way how it was done?

Thanks
 
idlemind
Forum Guru
Forum Guru
Posts: 1108
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: IPSec Site to Site Firewall

Thu Jun 29, 2017 9:54 pm

Yup sounds right, you might have gotten caught by the default accept behavior vs the default deny behavior typically seen on firewalls. Like you indicated by adding a rule that drops everything else you can accomplish what you need. Just make sure it's not catching other traffic that actually needs to get through by being as specific as possible to accomplish your requirements.

Good luck!

Who is online

Users browsing this forum: No registered users and 66 guests