I need securely connect two routing networks, so I decide to use IPIP tunnel over IPSec running in transport mode between gateways.
Also it's needed not to run unencrypted traffic between networks.
So I configure IPSec and IPIP tunnel.
Also on both gateways I make filter rules to prevent not IPSec traffic between them.
Bottom is the simple configs from both gateways (to make tests I use CHR and RouterOS 6.40.5):
Config 1:
/ip address> pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.19.1.2/24 10.19.1.0 ether1
1 192.168.1.1/24 192.168.1.0 ether2
2 10.0.1.1/30 10.0.1.0 ipip-tunnel1
/interface ipip> pr
Flags: X - disabled, R - running, D - dynamic
# NAME MTU ACTUAL-MTU LOCAL-ADDRESS REMOTE-ADDRESS KEEPALIVE DSCP
0 R ipip-tunnel1 auto 1430 0.0.0.0 10.19.2.2 10s,10 inherit
/ip firewall filter> pr chain=input
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=drop connection-state=invalid log=no log-prefix=""
1 chain=input action=accept connection-state=established,related log=no log-prefix=""
2 ;;; IKE
chain=input action=accept protocol=udp src-address=10.19.2.2 dst-port=500 log=no log-prefix=""
3 ;;; IPSEC
chain=input action=accept src-address=10.19.2.2 log=no log-prefix="" ipsec-policy=in,ipsec
4 chain=input action=drop src-address=10.19.2.2 log=no log-prefix=""
Config 2:
/ip address> pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.19.2.2/24 10.19.2.0 ether1
1 192.168.2.1/24 192.168.2.0 ether2
2 10.0.1.2/30 10.0.1.0 ipip-tunnel1
/interface ipip> pr
Flags: X - disabled, R - running, D - dynamic
# NAME MTU ACTUAL-MTU LOCAL-ADDRESS REMOTE-ADDRESS KEEPALIVE DSCP
0 R ipip-tunnel1 auto 1430 0.0.0.0 10.19.1.2 10s,10 inherit
/ip firewall filter> pr chain=input
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=drop connection-state=invalid log=no log-prefix=""
1 chain=input action=accept connection-state=established,related log=no log-prefix=""
2 ;;; IKE
chain=input action=accept protocol=udp src-address=10.19.1.2 dst-port=500 log=no log-prefix=""
3 ;;; IPSEC
chain=input action=accept src-address=10.19.1.2 log=no log-prefix="" ipsec-policy=in,ipsec
4 chain=input action=drop src-address=10.19.1.2 log=no log-prefix=""
When IPSec is running I can connect from 10.19.1.2 to 10.19.2.2 and from 192.168.1.0/24 to 192.168.2.0/24.
When to check rules I stop IPSec and strange things - I still can connect from 192.168.1.0/24 to 192.168.2.0/24 but can't between 10.19.1.2 and 10.19.2.2.
I see that it works "Accept established,related" rule in input chain even then I drop IPIP tunel and clear connections tacking.
How to stop not IPSec traffic between networks?