Community discussions

MikroTik App
 
TedRule
just joined
Topic Author
Posts: 15
Joined: Tue Nov 03, 2020 4:41 pm

IPSEC-related configuration of /ip firewall filter input chain

Fri Sep 17, 2021 4:27 pm

We have recently had to configure a site-to-site VPN between a MikroTik and a Cisco using IPSEC. As it happens, this was using IKEv1 rather than IKEv2 but I don't believe that this makes any difference to the ensuing discussion. FWIW, the Peers were directly visible to each other - i.e. no NAT-T was involved.

With all the IKE/IPSEC parameters in place at both ends, we were able to bring up the VPN from the MikroTik end by sending a Ping through the Tunnel.

However, with the MikroTik in a quiescent state, we were not able to bring up the VPN from the Cisco end.

Please bear in mind that the MikroTik was configured with an explicit "default deny" rule on the input chain, although it did have the factory default "permit established/related" rule in place.

After some experimentation, we came to the conclusion that we needed to add two rules to the input chain, namely:

permit udp 500 -> 500 ( suitably locked down to the peer IP address to allow the initial IKE/IPSEC Policy handshake to be completed )
permit ipsec-esp ( protocol 50 ) ( suitably locked down to the peer IP address to allow the tunnelled traffic to passthrough )

With the first rule in place, we were able to get the VPN to appear to come up, in that the "active peers" listing on the MikroTik showed the far end active, but no traffic could actually pass within the tunnel. Only once both rules were in place could we make the VPN properly establish as a "responder".

Obviously, we already had rules in place in the forward chain covering the traffic that we wanted to permit or exclude coming down the Tunnel.

The problem I have is that none of the extra UDP 500 and IPSec-ESP input chain requirements are mentioned in the MikroTik Documentation as far as I can see.
Have we somehow configured our Site-to-Site VPN wrong, or is the Documentation missing some explicit notes about these permissions in the input chain?

It also seems odd to me that the Kernel doesn't automatically add/remove the ipsec-esp rule on the fly once the IKE Policy has been established/torn-down, or maybe somehow make
the traffic match a "related" entry in the connections table - would it be possible to enhance Router OS to this effect? One could also imagine that a rule could be dynamically added to the input chain as Peers were added to the list of /ip IPSec peers to avoid having to manually configure the UDP 500 rule, although you'd probably have to permit UDP 4500 as well so as to for NAT-T Peers.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC-related configuration of /ip firewall filter input chain

Fri Sep 17, 2021 10:16 pm

First, you are right, the rules you've identified are necessary to make your particular setup work.

Second, this is a user forum, so not the right place for feature requests, at least not outside the dedicated "feature request" topic. The official channel to submit feature requests is via your reseller.

Third, the issue with automatic addition of configuration elements is that it can only cover some typical cases, and if your configuration is non-standard in some aspect, the automatic creation of firewall rules may cause more problems than benefits. So there would have to be a configuration option allowing to disable it.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: IPSEC-related configuration of /ip firewall filter input chain

Sat Sep 18, 2021 2:12 pm

I am not an expert on this but mentioning dynamic rule generation remembered me of this:

However, this can add significant load to router's CPU if there is a fair amount of tunnels and significant traffic on each tunnel.

Solution is to use IP/Firewall/Raw to bypass connection tracking, that way eliminating need of filter rules listed above and reducing load on CPU by approximately 30%.

/ip firewall raw
add action=notrack chain=prerouting src-address=10.1.101.0/24 dst-address=10.1.202.0/24
add action=notrack chain=prerouting src-address=10.1.202.0/24 dst-address=10.1.101.0/24
https://wiki.mikrotik.com/wiki/Manual:I ... ack_Bypass

Update: I got the wrong part and it can be found in IP-IPSEC-Identities:
notrack-chain (string; Default: ) 	Adds IP/Firewall/Raw rules matching IPsec policy to specified chain. Use together with generate-policy.
https://wiki.mikrotik.com/wiki/Manual:I ... Identities
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSEC-related configuration of /ip firewall filter input chain

Sat Sep 18, 2021 2:45 pm

@msatter, the rules in filter in chain input the OP has found necessary to be added deal with the transport packets of the tunnel, whereas your suggested action=notrack rules in raw deal with the payload of the tunnel. And the OP's concern is not CPU load but the fact that he has to add firewall rules on top of setting up the IPsec configuration itself.

So your suggestion is valid and useful but out of the context of the topic.

Who is online

Users browsing this forum: baragoon, fposavec, GoogleOther [Bot], keithy, menyarito and 77 guests