Community discussions

MikroTik App
  4. RouterOS
  5. General

[ASK] default configuration second part

Post Reply
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1281
Joined: Tue Jun 23, 2015 2:35 pm

[ASK] default configuration second part

Thu Oct 25, 2018 11:52 am

From default configuration:

add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec

Does it affect only for tunnel mode?

Thanks
Top
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7054
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:
Contact mrz

Re: [ASK] default configuration second part

Thu Oct 25, 2018 12:04 pm

no.
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1281
Joined: Tue Jun 23, 2015 2:35 pm

Re: [ASK] default configuration second part

Thu Oct 25, 2018 12:20 pm

transport?
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1281
Joined: Tue Jun 23, 2015 2:35 pm

Re: [ASK] default configuration second part

Thu Oct 25, 2018 9:40 pm

actually what it does?
Top
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7054
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:
Contact mrz

Re: [ASK] default configuration second part

Fri Oct 26, 2018 9:40 am

Documentation clearly describes what it does:
https://wiki.mikrotik.com/wiki/Manual:I ... Properties
Matches the policy used by IpSec. Value is written in following format: direction, policy. Direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.

in - valid in the PREROUTING, INPUT and FORWARD chains
out - valid in the POSTROUTING, OUTPUT and FORWARD chains

ipsec - matches if the packet is subject to IpSec processing;
none - matches packet that is not subject to IpSec processing (for example, IpSec transport packet).

For example, if router receives Ipsec encapsulated Gre packet, then rule ipsec-policy=in,ipsec will match Gre packet, but rule ipsec-policy=in,none will match ESP packet.
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1281
Joined: Tue Jun 23, 2015 2:35 pm

Re: [ASK] default configuration second part

Fri Oct 26, 2018 9:53 am

It shows excellent the process how it goes. Just i'm wondering in which scenario can i use like for example L2TP-IPSec or some other situacion.

That was my question
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1281
Joined: Tue Jun 23, 2015 2:35 pm

Re: [ASK] default configuration second part

Sat Oct 27, 2018 9:34 am

I have been testing many tunnel like EoIP-IPSec, IPIP-IPSec, L2TP-IPSec. Only i found that this rules makes traffic when i'm playing with tunnel mode, on any other it doesn't make any traffic at all.

i'm waiting for your comment
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1281
Joined: Tue Jun 23, 2015 2:35 pm

Re: [ASK] default configuration second part

Sat Oct 27, 2018 9:52 am

This log comes form R1 and it says:
IPsec_IN = 0c:5b:54:40:0b:00 belongs to "R2"
IPSec_OUT = 0c:5b:54:98:f9:00 belongs to "cl1"
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], kuklei, mbovenka and 106 guests
  4. RouterOS
  5. General