Hello all,

I have configured an IPsec IKE2 Site to Site VPN using an RB2011 on the one site an a RB3011 at the other site.

The VPN is working.

If I disable all firewall filter rules I can RDP to a machine on the remote network. If I enable all the firewall filter rules I cannot RDP to the machine on the remote network.

I found the below firewall filter rule to be the problem. This is my last firewall filter rule.

defconf: drop all from WAN not DSTNATed

Please could someone let me know how to allow IPsec with the above firewall filter rule enabled. I have not been able to figure it out.

Thank you,

Greg

you will need to add a new firewall rule that will accept this traffic.
Big thing to note first about the chain:
Input= destination is to this router its self
forward= traffic source not from this router, destination is not on this router either
output= traffic source from this router outgoing outside of this router

so in saying that you need to add a new rule on the forward chain with the action of accept and list it above anything that would drop this traffic, if you leave it just as that you will then just allow everything through the router and the network will not be secure.
as a minimum I would suggest to put the src-address and dst-address in, but you are also able to lock this down further by adding just the RDP port etc, for example:
/ip firewall filter
add chain=forward src-address=(ip address or subnet of the device trying to get access) dst-address=(ip address or subnet of the RDP device) protocol=tcp dst-port=3389 action=accept
Not sure if this needs UDP as well but you can play around with this further

The condition you're looking for is ipsec-policy=in,ipsec, it will match incoming packets from tunnel (= covered by IPSec policy). Because otherwise they look like any other packet from internet.