Community discussions

MikroTik App
 
fpawlak
just joined
Topic Author
Posts: 4
Joined: Wed Aug 26, 2020 2:49 pm

IKEv2 -> VLANs filtering

Tue Feb 16, 2021 5:14 pm

Hi guys

I've played a little with IKEv2. I'm able to connect to mikrotik router with IKEv2 (using 'digital signature' or 'eap radius').
Now I'm looking for some guides how can I filter access to specific VLANs from IKEv2 clients. I know that, I can add firewall rules like:
#ALLOW VPN to VLAN10
add action=accept chain=forward ipsec-policy=in,ipsec out-interface=VLAN10 src-address=VPN_IP_POOL
#ALLOW VPN to VLAN20
add action=accept chain=forward ipsec-policy=in,ipsec out-interface=VLAN20 src-address=VPN_IP_POOL
But I want to set different access for different users - eg. user1 should have only access to VLAN10, while user2 only to VLAN20. How can I do that?
I can create different identities under /IP/IPsec/Identities and modeconfs under /IP/IPsec/Mode Configs so each user get own IP and routes to specific vlans. But it isn't safe - client can manualy change ip or add route. Also firewall rules won't help - users still can change his ip/toutes
#ALLOW user1 to VLAN10 (based on his IP)
add action=accept chain=forward out-interface=VLAN10 src-address=10.0.1.0/24
#ALLOW user2 to VLAN20 (based on his IP)
add action=accept chain=forward out-interface=VLAN20 src-address=10.0.2.0/24
While using L2TP or PPTP I was able to create under /PPP/Interface 'L2TP/PPTP Server binding' interface based on username or define under /PPP/Profiles PPP profile wich automaticly adds client to interface lists so in firewall I could use rules like:
#ALLOW user1 to VLAN10 (based on interface binding)
add action=accept chain=forward in-interface=l2tp-user1 out-interface=VLAN10
#ALLOW user2 to VLAN20 (based on interface lists)
add action=accept chain=forward in-interface-list=VLAN20-vpn_users out-interface=VLAN20
Are there any similar options for IKEv2? Or should I use completely another approach? Wich approach?

I have never play with Dot1X, so I don't know if it is possible to use it over VPN. Probably not, while in server config you have to set an interface.

You may ask me, why I want to use IKEv2 not L2TP/ipsec
- possibility to push routes&dns over modeconf
- multiple connections from the same WAN IP (yes, I've seen workaround for it on this forum)
- better performance
- better for road warriors using 3g/lte as WAN access (roaming and reconnection)

Thanks for any help
 
sindy
Forum Guru
Forum Guru
Posts: 6863
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 -> VLANs filtering

Tue Feb 16, 2021 5:39 pm

You can create several separate /ip ipsec policy group items, and create a policy template with dst-address restricted to a long prefix (a small "subnet") for each group. The policy-template-group parameter of each /ip ipsec identity row will point to one of these groups. This will prevent the clients from assigning a different address, as their request for a policy matching that address will be rejected.

Identities of clients with the same access permissions will share the same group.

IPsec tunnels are L3 ones, so 802.1x is completely unrelated.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
fpawlak
just joined
Topic Author
Posts: 4
Joined: Wed Aug 26, 2020 2:49 pm

Re: IKEv2 -> VLANs filtering

Tue Feb 16, 2021 6:59 pm

Sindy thanks a lot for your quick response.
It looks good :)
So for main VLAN I can use identity with Auth. Method 'eap radius' so all domain users get access to the main VLAN.
And for the rest VLANs I'll have to define separate identities for each user with Auth. Method different than 'eap radius'
Am I correct?

Access for main VLAN only is for road warriors (circa 90-95% of all vpns)
Access for specific VLANs is needed only for administrations purposes, and for external support maintaining devices&machines in company.
 
sindy
Forum Guru
Forum Guru
Posts: 6863
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 -> VLANs filtering

Tue Feb 16, 2021 7:39 pm

So for main VLAN I can use identity with Auth. Method 'eap radius' so all domain users get access to the main VLAN.
And for the rest VLANs I'll have to define separate identities for each user with Auth. Method different than 'eap radius'
Am I correct?
Sounds correct to me, unless RouterOS supports some RADIUS parameter used to override the policy-template-group value of the identity row, which would allow you to use eap-radius for all types of clients.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: aboiles, Bing [Bot], DanMos79, drbunsen, sindy, Traveler382 and 164 guests