Page 1 of 1

IPSec Site to Site Firewall

Posted: Mon May 29, 2017 4:10 pm
by n4p
Hi there!
I try to find out how it would be possible to attach Firewall rules between the ipsec site to site tunnel.

My goal is to close this tunnel and only allow 1 tcp protokoll on port 3002 and icmp.

So my question is, how is the right way for that?

Do i need to setup the rules on the outgoing ports on the router? Or is it possible to enable this rules before, so that i prevent any connection.

Thanks for your help!

Re: IPSec Site to Site Firewall

Posted: Mon May 29, 2017 7:03 pm
by idlemind
Create a policy to identify the traffic to be encrypted. It may be multiple policies in RouterOS. In Cisco land you can define "interesting traffic" in an ACL. If it can only be done with policies you'll get multiple matches.

An alternative approach would be a site to site GRE tunnel wrapped in IPSec. You could target an ACL to that persistently. I'm not sure about the dynamic L2TP interface. You may be able to target that in an ACL as well though.

Re: IPSec Site to Site Firewall

Posted: Tue May 30, 2017 5:34 pm
by n4p
Thanks for answer,
can you give me a little input how to configure this?
Or there are any templates how to do that?

Thanks

Re: IPSec Site to Site Firewall

Posted: Thu Jun 22, 2017 5:59 pm
by n4p
Nobody got a idea for help?
GRE Tunnel or L2TP is no opinion.
Because my Road Warriors didnt Support that.
Would it be possible with a Loop from outgoing Port 6 to Port 7 and Firewall unencrypted between Port 7 and 8?

Or is this a stupid idea?

Re: IPSec Site to Site Firewall

Posted: Sun Jun 25, 2017 2:25 pm
by n4p
No Comment?
Also not to my last idea with routing the encrypted ipsec traffic trough 2 Port?

Re: IPSec Site to Site Firewall

Posted: Sun Jun 25, 2017 2:42 pm
by idlemind
Your road warriors will get a dynamic L2TP interface when they connect. Unless you're using PPTP or SSTP. Also road warrior <> site to site like your post reads.

Last, you should be able to define multiple policies to map your interesting traffic appropriately even for road warriors. There is a section in the wiki on how to use mode conf with groups of policies to express your interesting traffic. Additionally you can definitely split tunnel rules if you need too.

Read the IP/IPSec wiki, it has a ton of examples and configuration ideas.

Re: IPSec Site to Site Firewall

Posted: Sun Jun 25, 2017 3:17 pm
by almdandi
I'm a little bit confused what you want to do. IPSec Site 2 Site, Road Worear VPN.That's two different things. Maybe you can give us a look at our ipsec configuration. That would be very helpful

But if i get you corrent from your first post. The traffic form your second site will appear on the WAN interface at site 1 like normal traffic, after the encryption process. The a look at this diagram.

https://wiki.mikrotik.com/wiki/Manual:P ... decryption

So just make a normal forward rule that accepts all your allowed traffic. And you should set ipsec-policy=in,ipsec on that rule, so it maches only traffic from a ipsec tunnel.
After your accept rules add a drop rule to drop the rest.

Re: IPSec Site to Site Firewall

Posted: Sun Jun 25, 2017 4:00 pm
by n4p
Hello!
Thanks for answer.
The Problem is i can't do a Ipsec/L2TP setup. The only way i can go is site-to-site.

To understand what i got:

computer(172.10.20.2)--------3G/UMTS-Modem(172.10.20.1)-------- IPSEC-------Mikrotik(172.10.0.1)------server(172.10.0.2)

The problem is, that the modem outside only can do ipsec site-to-site or openvpn. So i used ipsec. Everythink works fine. But now i would prefer to close not used ports to secure up the tunnel.
As already descriped the ipsec tunnel is not a interface on the mikrotik router. But i still searching for a way to limit ports trough the tunnel to the server(172.10.0.2).

An idea is to set the rules outgoing on the connector port from the router or is that insecure?

Just for info, that only one shematic diagramm to this router currently 35 setups like this connectet.
thanks for your help!

Re: IPSec Site to Site Firewall

Posted: Sun Jun 25, 2017 4:43 pm
by idlemind
Step 1: Read the MikroTik Wiki article on IP / IPSec.
Step 2: Implement IPSec policies.
Step 3: Tell us all that you have it figured.

Example policy I use to encrypt an IPv6 GRE tunnel:

/ip ipsec policy add comment="xxx-vpn1 v6" dst-address=2001::2/128 proposal=SiteToSiteVpn1 protocol=gre src-address=2605::953a/128

The traffic that you want to encrypt is defined by src-address, dst-address, src-port, dst-port and protocol values. Additionally you can define other actions than encrypt but that is getting more complex. A good read of the Wiki will help you out.

Re: IPSec Site to Site Firewall

Posted: Sun Jun 25, 2017 5:52 pm
by n4p
Thanks for your instruction,
so if i am right, i can handly that with the policies? Just read the wiki as descriped.

So if i change the policiy that only tcp traffic from port 3002 is allowed that should do the trick? Any other traffic will be blocked because not encrypted?
Or im still wrong?

But just for information, i can't configure any policiy rules on the modem, so hofully it's enough if i do this in the MK?

Thanks

Re: IPSec Site to Site Firewall

Posted: Sun Jun 25, 2017 6:38 pm
by idlemind
But just for information, i can't configure any policiy rules on the modem, so hofully it's enough if i do this in the MK?Thanks
Some platforms require the policy to match, Cisco does this. I'm not sure about your modem. It's best practice to match security on both sides.

Alternatively, allow all traffic through the tunnel and restrict it inbound to the MikroTik back to the VPN client. The interfaces and IP addresses would be persistent and it would be a reliably point in the network to apply an ACL. The policy is far more ideal from a CPU and bandwidth perspective.

TLDR; try the policy first. If the IPSec connection has trouble establishing then revert to allowing the whole connection and restricting by a normal forward ACL with the inbound interface selected to match traffic coming from the server to the client.

Re: IPSec Site to Site Firewall

Posted: Mon Jun 26, 2017 11:47 pm
by n4p
Just one information, as far as i know in the policy i can only specify one protokol or one port. Or i am wrong with my information.
I will see tomorow and try that out.

Just for information, the cpu load and the bandwich are just idling arround, because we got traffic in 1-5kb ranges and about 1000packets/hour.
So what i would say, really really small traffic over the tunnel.

Re: IPSec Site to Site Firewall

Posted: Tue Jun 27, 2017 12:12 am
by idlemind
Each policy builds an SA pair I believe. So you can define multiple policies and you'll get an SA pair to match each one when traffic hits the policy to trigger the need for encryption.

I may be a bit wrong.

Re: IPSec Site to Site Firewall

Posted: Thu Jun 29, 2017 5:58 pm
by n4p
Hi
i tried your idea with the two policys but it didn't work, if i disable each the other one start working. So i would say my UMTS-Router didn't support that.

The second way with blocking the bridge (where the local ports connected) also won't work :(

I tried to add a rule with drop any but it doesn't drop anything.

Any ideas?

Re: IPSec Site to Site Firewall

Posted: Thu Jun 29, 2017 7:32 pm
by idlemind
Should work. If the ACL is being applied via the MikroTik with ip firewall filter just make sure you're taking how the traffic flows into account. For example if all the traffic for this server to the VPN client comes in ether2 use forward with in-interface of ether2 along with your other qualifiers.

Re: IPSec Site to Site Firewall

Posted: Thu Jun 29, 2017 9:31 pm
by n4p
I got it working!
The way how it was done is:

I setup 3 forwarding rules with Destination the local subnet where the ipsec Traffic terminates.
And there i Drop all expect icmp and the specified tcp Port.

To Made that more sensitiv i setup a whitelist which include the allowed clients.

On the Client side i made tests with nmap and it seems that no other ports in the serverside are reachable.

See that in the log from the Drop rule.

So i hope thats the right way how it was done?

Thanks

Re: IPSec Site to Site Firewall

Posted: Thu Jun 29, 2017 9:54 pm
by idlemind
Yup sounds right, you might have gotten caught by the default accept behavior vs the default deny behavior typically seen on firewalls. Like you indicated by adding a rule that drops everything else you can accomplish what you need. Just make sure it's not catching other traffic that actually needs to get through by being as specific as possible to accomplish your requirements.

Good luck!