Community discussions

MikroTik App
 
alexid
just joined
Topic Author
Posts: 8
Joined: Sun Oct 17, 2021 12:01 am

mangle on IPsec policy out

Mon Oct 18, 2021 1:49 pm

Hello,

I use an IKEv2 VPN service with Mode Configuration enabled as client on the Mikrotik router. I am trying to lower the TCP MSS for connections going through the VPN tunnel as there are issues with the MTU and IP fragmentation on this tunnel. I already disabled firewall fasttrack for all connections as I noticed that this functionality is blocking VPN traffic for some tunnels. I'm thinking of adjusting the TCP MSS by using mangle rules with connection marking. Outbound and inbound connections would get marked and after that, another mangle rule would modify the TCP MSS for those marked connections.
0 chain=forward action=mark-connection new-connection-mark=MARK passthrough=yes protocol=tcp log=yes log-prefix="MANGLE_MARK_IPSEC_OUT" ipsec-policy=out,ipsec 
1 chain=forward action=mark-connection new-connection-mark=MARK passthrough=yes protocol=tcp log=yes log-prefix="MANGLE_MARK_IPSEC_IN" ipsec-policy=in,ipsec 
2 chain=forward action=change-mss new-mss=1382 passthrough=yes tcp-flags=syn protocol=tcp connection-mark=MARK log=yes log-prefix="MANGLE_SET_TCP_MSS_IPSEC" 
What I observed is that, outgoing packets are not detect by the ipsec-policy=out,ipsec mangle rule. Only incoming packets get detected, by the ipsec-policy=in,ipsec rule, thus outgoing connections get marked (I cannot test with incoming connections), but only when the TCP SYN/ACK packet is detected, and consequently, TCP MSS is adjusted on for the incoming TCP flow. So the issue is, how can ipsec outgoing packets be detected for connection marking through mangle rules?

I have tested this setup with another IKEv2 VPN setup with Mode Configuration enabled as responder, and that is working fine, so the issue seems to be only related to the Mode Configuration enabled as client setup.

Thank you
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: mangle on IPsec policy out

Mon Oct 18, 2021 2:27 pm

Have a read overhere on that: viewtopic.php?f=23&t=169273
My contribution: viewtopic.php?f=23&t=169273#p836389 usin IPSEC Policies.

Look where Forward is the flow, before deciding of IPSEC out. So policy is not set then.

Image

https://help.mikrotik.com/docs/display/ ... OS-Forward

Postrouting (Mangle) see every forwarded packet, Output (Mangle) sees only the packets generated by the router self and in this case your outgoing encrypted traffic.
To set MSS you have to use Postrouting as then the outgoing packet is still unencrypted. But then you still can't use ipsec-out because it is still before that is set. And once encrypted your can't use MSS. You can't so filter on that and you have to use the connection-mark "Mark" to recognize that traffic.
chain=postrouting action=change-mss new-mss=1382 passthrough=yes tcp-flags=syn protocol=tcp connection-mark=MARK log=yes log-prefix="MANGLE_SET_TCP_MSS_IPSEC" 

Optimized to only handle packets bigger than 1383 (in your case) and because it Postrouting (end of the line) you can mark passthrough=no so that the rest of rules in Mangle are ignored
chain=postrouting action=change-mss new-mss=1382 passthrough=no tcp-flags=syn protocol=tcp connection-mark=Mark tcp-mss=1383-65535 log=yes log-prefix="MANGLE_SET_TCP_MSS_IPSEC_OUT"
Last edited by msatter on Mon Oct 18, 2021 5:43 pm, edited 1 time in total.
 
alexid
just joined
Topic Author
Posts: 8
Joined: Sun Oct 17, 2021 12:01 am

Re: mangle on IPsec policy out

Mon Oct 18, 2021 4:10 pm

Hi msatter,

No sure i understand what you're trying to say; I did manage to have the TCP MSS modified for incoming TCP flows through the VPN tunnel (MSS changed on outgoing IPSec packets), but only through using a mangle rule without IPsec policy matching such as this:
6    chain=forward action=change-mss new-mss=1382 passthrough=yes tcp-flags=syn protocol=tcp src-address-list=VPNsource log=yes log-prefix="MANGLE_SET_TCP_MSS_ON_SOURCE" 
But my purpose is not to adjust TCP MSS for all connections, only for the IPsec outgoing ones, which is why I need the connection or packet marking to work for the IPsec out policiy matching mangle rule. I've tested this rule with the chain set to "postrouting" and "output", but it does not make a difference. In order to only match the IPsec out packets/connections, I need a way to match them after the automatic SNAT form mode configuration has been applied:
 0  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=10.6.0.5 src-address-list=VPNsource dst-address-list=!VPNsource
Is there a way to achieve this?

Thank you
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: mangle on IPsec policy out

Mon Oct 18, 2021 5:42 pm

Once it is natted you can't do mucht more, see Postrouting marked 4:

Image

SRC-NAT is after Postrouting so you have do the MSS stuff before that.Postrouting the place and it has to be done before it is encrypted, so on the first loop. See diagram above.

You call the traffic incoming and I am calling it outgoing because it leaves after the SRC-NAT. I do not use ipsec-out and I assume that it is encrypted traffic for your VPN provider.

Traffic, with destination the VPN provider: Forward --> Postrouting loop one -> encryption ( traffic is now encrypted) -> Output -> Postrouting (second time) -> SRC-NAT -> VPN tunnel

You sent a packet upstream to the VPN. Normally, the VPN say it is to big (ICMP 3-4) and I can handle 1382 for example. The router tells the client, keep it below 1383. If the VPN provider is not sending a ICMP 3-4 you have to keep it yourself below that 1383 by forcing that MTU for your clients. NordVPN has some troubles sending back those ICMP 3-4.

You need in the end, only one Mangle line and that is a Postrouting. This only if you already have marked all NEW traffic going through the VPN with new-connection-mark=MARK and so the Mark differentiates that traffic from the rest.

Prerouting / Forward -> mark traffic and because it is connection-marking the router will keep track of that marked connection for you and you don't have lift an finger anymore.

This should be enough in Mangle:
chain=prerouting action=mark-connection src-address-list=VPNsource new-connection-mark=MARK passthrough=yes protocol=tcp log=yes log-prefix="MANGLE_MARK_IPSEC_OUT"
chain=postrouting action=change-mss new-mss=1382 passthrough=no tcp-flags=syn protocol=tcp connection-mark=Mark ipsec-policy=out,none tcp-mss=1383-65535 log=yes log-prefix="MANGLE_SET_TCP_MSS_IPSEC_OUT"
Update: I added ipsec-policy=out,none so that Postrouting is ignoring encrypted traffic, which it can't change after all.
Update 2: new-connection-mark seems to be only possible in prerouting and output. Using ROS v7 here. And it seem logical to do that before the routing decision.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: mangle on IPsec policy out

Tue Oct 19, 2021 12:23 am

I looked at it again, and the manual is always correct. Avoid having to look if a packet is already encoded, is not using Postrouting.

Your IKEv2 to VPN provider:
chain=forward action=change-mss new-mss=1382 passthrough=no tcp-flags=syn protocol=tcp passthrough=no connection-mark=Mark tcp-mss=1383-65535 log=no log-prefix="MANGLE_SET_TCP_MSS_IPSEC_OUT"


Here I know, traffic which interface:
chain=forward action=change-mss new-mss=1432 passthrough=no tcp-flags=syn protocol=tcp passthrough=no out-interface-list=WireGuard tcp-mss=1433-65535 log=no log-prefix="MANGLE_SET_TCP_MSS_WG_OUT"

Knowing here the out interface is WireGuard (List in Interface) avoids having to look at the connection-mark. IKEv2 is dynamic so making a List in Interface is not possible.
 
alexid
just joined
Topic Author
Posts: 8
Joined: Sun Oct 17, 2021 12:01 am

Re: mangle on IPsec policy out

Tue Oct 19, 2021 1:59 am

Hello msatter,

I'm using 6.49 firmware. I understood what you meant, but I think you did a mistake in the placement of SRC-NAT in outgoing IPsec packet flow processing, it should be as follows:

Forward --> Postrouting loop one -> SRC-NAT (derived from mode configuration) -> encryption ( traffic is now encrypted) -> Output -> Postrouting (second time) -> VPN tunnel

as SRC-NAT applied through the mode configuration functionality is done for inside tunnel traffic. Matching by IPsec out policy (ipsec-policy=out,ipsec) in mangle rules will match by the virtual IP address as source (received via mode configuration from the remote peer, IPsec policy is derived from template), but as you said, because postrouting SRC-NAT is done after mangle, I cannot do anything to match it via mangle rules, perhaps only by destination, which is impractical. It's not necessary to perform the mangle in postrouting, if matching is done by source address.

The only way it would have worked is to be able to apply mangle rules after SRC-NAT in postrouting. If there was a possibility to define the IPsec tunnels as virtual interfaces and use routing with those, perhaps it would work to apply mangle in postrouting. Other vendors support this type of setting.

One interesting thing I noticed is that TCP MSS mangle rules with clamp-to-pmtu action do work for IPsec tunnels where SRC-NAT (no mode configuration as client) is not applied:
chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp log=no log-prefix=""

Somehow, the IPsec policy is matched in the forward chain, to derive the path MTU.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: mangle on IPsec policy out

Tue Oct 19, 2021 2:39 am

Mode configuration is there to be able to create the dynamic NAT lines. You can use src-address or connection marking or combine those two.

I refined my own MSS line and ended up with doing that in Forward, as I wrote about. This avoids the ipsec:out:none.

You want to MSS traffic going into the tunnel. NAT sees only encrypted traffic and sets a new src-address on encrypted packets heading into the tunnel. You can see that it not going twice throuh the NAT.

Once encrypted you can't change the content anymore and so not change of MSS.

You write that the PMTU does work, but it will aply that MTU to all forwarded traffic, VPN and not VPN. You have your connection-mark to only MSS your VPN traffic and so can use that there also.
chain=forward action=change-mss new-mss=clamp-to-pmtu connection-mark=Mark  passthrough=yes tcp-flags=syn protocol=tcp log=no log-prefix=""
Forward (MSS) --> Postrouting loop one -> SRC-NAT (derived from mode configuration) -> encryption ( traffic is now encrypted) -> Output -> Postrouting (second time) -> VPN tunnel (NAT)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: mangle on IPsec policy out

Tue Oct 19, 2021 2:59 am

So if PMTU is working for you then you can go to the next level and that is to transfer the ICMP 3-4 to the clients and so no need to do anything about the MTU in Mangle and worry about NAT.

This is done in IPSEC Policies and this a script to add the needed line.
/ip ipsec policy
move *ffffff destination=0
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0 protocol=icmp place-before=1
The address range is the one of the internal network or in your case the part of the network allowed to use the VPN --> src-address-list=VPNsource
That address range can differ from the one above so you have to adapt that manually.

Since a few weeks, some servers from NordVPN does not return ICMP 3-4 and that goes also for the WireGuard servers of them. This a specific problem with NordVPN.
 
alexid
just joined
Topic Author
Posts: 8
Joined: Sun Oct 17, 2021 12:01 am

Re: mangle on IPsec policy out

Tue Oct 19, 2021 12:15 pm

msatter, I don't understand what you meant in your first reply. SRC-NAT via mode configuration is applied to unencrypted packets.

There is no need for ICMP 3-4 packets for the router to derive the PMTU for an IPsec tunnel, this is apparently derived form phase2 algorithms negotiations results, and mangle rules with action=change-mss new-mss=clamp-to-pmtu do work in the forward chain to properly change the TCP MSS in relation to the tunnel's PMTU, but not for the mode configuration as client tunnel setups. My guess is that there is some matching done in the forward chain with IPsec policies, in order to choose the proper PMTU, but for mode configuration as client derived IPsec policies, the match is not happening, probably because the source in the IPsec policy is the mode configuration received IP address.

I did try your suggestion with the IPsec policy but it did not do the trick.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: mangle on IPsec policy out

Tue Oct 19, 2021 12:54 pm

Image

IPSec Policies

Let's take a look at another tunnel type - IPSec. This type of VPN does not have logical interfaces but is processed in a similar manner.
Instead of logical interfaces packets are processed through IPSec policies. After routing decision (2) and input firewall processing (3), the router tries to match the source and destination to IPsec policy. When policy matches the packet it is sent to decryption (5). After the decryption packet enters PREROUTING processing again (6) and starts another processing loop, but now with the decapsulated packet.


The same process is with encapsulation but in reverse order. First IP packet gets processed through facilities, then matched against IPsec policies (5), encapsulated (6), and then sent to processing on the second loop (7-10).

Returning traffic (italic text above):

Image

If PMTU can be used with ipsec-policy=in,ipsec.....
Last edited by msatter on Tue Oct 19, 2021 1:07 pm, edited 1 time in total.
 
alexid
just joined
Topic Author
Posts: 8
Joined: Sun Oct 17, 2021 12:01 am

Re: mangle on IPsec policy out

Tue Oct 19, 2021 1:03 pm

msatter, the diagrams are nice, but I already understood how the packets are processed. What are you trying to say?
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: mangle on IPsec policy out

Tue Oct 19, 2021 1:09 pm

After processing comes SRC-NAT for outgoing traffic.

Update on my previous posting. Maybe you are looking for this. Returning ipsec (unencrypted) traffic setting PMTU
chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=no tcp-flags=syn,ack protocol=tcp log=no log-prefix="MSS" ipsec-policy=in,ipsec

Update 2: works great for me and it is now the only MSS line in Mangle. Working for IKEv2 and WireGuard. More testing needed but it looks promising.

Update 3: it did not catch any WireGuard packets, that puzzles me. I have now ipsec-policy=in,none active and that catches also the WireGuard packets.

Update 4: because it handles returning traffic I have added ack to syn. I have adapted the original mangle line according to that
 
alexid
just joined
Topic Author
Posts: 8
Joined: Sun Oct 17, 2021 12:01 am

Re: mangle on IPsec policy out

Tue Oct 19, 2021 2:31 pm

No, I'm looking to adjust TCP MSS on outgoing tunnel packets, it already works on incoming packets, see my first post.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: mangle on IPsec policy out

Tue Oct 19, 2021 2:44 pm

Outgoing is when it is known that it is ipsec:out traffic. And that is not possible in Mangle or an other location.

You can use your connection mark for that but you say that does not work.
 
alexid
just joined
Topic Author
Posts: 8
Joined: Sun Oct 17, 2021 12:01 am

Re: mangle on IPsec policy out

Tue Oct 19, 2021 2:48 pm

Not working, I would need perhaps some dummy IPsec policy using original local client IP address to be able to mangle match in the forward chain, but that also seems impossible.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: mangle on IPsec policy out

Tue Oct 19, 2021 4:29 pm

Just one more shot. Going back to you first posting:
0 chain=forward action=mark-connection new-connection-mark=MARK passthrough=yes protocol=tcp log=yes log-prefix="MANGLE_MARK_IPSEC_OUT" ipsec-policy=out,ipsec 
1 chain=forward action=mark-connection new-connection-mark=MARK passthrough=yes protocol=tcp log=yes log-prefix="MANGLE_MARK_IPSEC_IN" ipsec-policy=in,ipsec 
2 chain=forward action=change-mss new-mss=1382 passthrough=yes tcp-flags=syn protocol=tcp connection-mark=MARK log=yes log-prefix="MANGLE_SET_TCP_MSS_IPSEC" 
Line 0 does nothing, it will know on the third pass of packets to and from.
Line 1 and 2 combined as I posted earlier.

Replace line 0 with:
chain=forward action=mark-connection new-connection-mark=MARK passthrough=yes protocol=tcp src-address-list=VPNsource connection-state=new log=yes log-prefix="MANGLE_MARK_IPSEC_OUT" 
That is the basic way and should fit your situation.

Next iteration is doing away with the connection-mark because you already decided to use an address-list named VPNsource. I assume the dynamic NAT lines use also VPNsource?
Line 1 and 2 combined (dynamic PMTU):
chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=no tcp-flags=syn,ack protocol=tcp ipsec-policy=in,ipsec log=yes log-prefix="MANGLE_MARK_IPSEC_OUT"
chain=forward action=change-mss new-mss=1382 passthrough=no tcp-flags=syn protocol=tcp src-address-list=VPNsource log=yes log-prefix="MANGLE_SET_TCP_MSS_IPSEC" 
You can make that last line static with an MTU of 1382 in your case.
 
alexid
just joined
Topic Author
Posts: 8
Joined: Sun Oct 17, 2021 12:01 am

Re: mangle on IPsec policy out

Tue Oct 19, 2021 4:49 pm

I already mentioned that i have used successfully the mangle rule based on source, but this adjusts the MSS for all outgoing packets from the source, not just IPsec tunnel outgoing ones (for example, if the VPN tunnel is down):
6 chain=forward action=change-mss new-mss=1382 passthrough=yes tcp-flags=syn protocol=tcp src-address-list=VPNsource log=yes log-prefix="MANGLE_SET_TCP_MSS_ON_SOURCE"
The dynamic PMTU you are referring to does not work for mode configuration as client IPsec tunnels. That is what I mentioned in my previous post.
 
emailchina
just joined
Posts: 4
Joined: Mon Aug 09, 2021 11:28 pm

Re: mangle on IPsec policy out

Sun Nov 28, 2021 11:31 am

So if PMTU is working for you then you can go to the next level and that is to transfer the ICMP 3-4 to the clients and so no need to do anything about the MTU in Mangle and worry about NAT.

This is done in IPSEC Policies and this a script to add the needed line.
/ip ipsec policy
move *ffffff destination=0
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0 protocol=icmp place-before=1
The address range is the one of the internal network or in your case the part of the network allowed to use the VPN --> src-address-list=VPNsource
That address range can differ from the one above so you have to adapt that manually.

Since a few weeks, some servers from NordVPN does not return ICMP 3-4 and that goes also for the WireGuard servers of them. This a specific problem with NordVPN.
Can you give the complete and full command? I'm a newbie and it's painful to understand the article by translation I don't know what to do I use both nordvpn and protonvpn

Who is online

Users browsing this forum: bschapendonk, JohnTRIVOLTA, rextended, tangent, TheCat12 and 88 guests