Community discussions

MikroTik App
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

IPSec VPN Access Limitations

Wed Aug 17, 2022 12:45 pm

Hi All

I have to configure an IPSec link to a client, which I've never done before, and now that I'm used to setting allowed addresses in WireGuard I'm wondering if there is something similar I can do for IPSec?

I have various devices scattered over various ranges I'd like to give them access to but block everything else.

Any ideas?

Thanks,
R
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec VPN Access Limitations

Wed Aug 17, 2022 1:09 pm

The traffic selectors in bare IPsec work similar to Wireguard's allowed-address list, but as you mention various ranges, be aware that the number of policies may be overwhelmlingly high, as you may need one policy for each (local subnet,remote subnet) tuple depending on how the remote peer has configured it. Using 0.0.0.0/0 <-> 0.0.0.0/0 is rarely a solution because bare IPsec traffic selectors supersede the results of the "normal" routing, so if you use this traffic selector to choose traffic for the tunnel policy, you need other policies to exempt your local traffic from being intercepted by this one.

So depending on how much of the design will be your own decision and how much you have to accommodate to, it may be best to use a "something-over-IPsec" tunnel with "normal" routing and firewall rules, or it may be best to use bare IPsec.
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: IPSec VPN Access Limitations

Wed Aug 17, 2022 1:56 pm

Howsit sindy

Well it seems I'm stuck with IPSec so will have to figure it out.

So if I'm understanding you correctly, I can specify multiple Policies for the same Peer in order to indicate multiple IP's/ranges, correct?
Is there a way they could "masquerade" the link to gain access to anything beyond what I specify under Policies? I see IPSec does not create an "interface" so it makes it tricky (in my mind at least) to try and button things up via the firewall.

PS. I'm the initiator

Thanks,
R
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec VPN Access Limitations

Wed Aug 17, 2022 2:33 pm

Well it seems I'm stuck with IPSec so will have to figure it out.
That was clear, what is still not clear is how much of the IPsec setup has already been cast in concrete and how much of it you can set up as you want.

So if I'm understanding you correctly, I can specify multiple Policies for the same Peer in order to indicate multiple IP's/ranges, correct?
Almost - not multiple subnets but multiple combinations of local and remote subnet. So if you have subnets A and B on the local end and subnets 1,2,3 on the remote end, you need individual policies for A1, A2, A3, B1, B2, B3 combinations.

Is there a way they could "masquerade" the link to gain access to anything beyond what I specify under Policies?
You can normally use masquerade/srcnat at the application client side, but it is much more complicated at application server side (you need port forwarding in such case). The traffic selection is done after all the firewall processing, including src-nat, has been done. So if you src-nat the whole client site to a single address, you can only use as many policies as you have subnets on the server site (application-wise client may not be the IPsec-wise initiator).

I see IPSec does not create an "interface" so it makes it tricky (in my mind at least) to try and button things up via the firewall.
From the firewall point of view, you just have to refer to IP addresses and not to interface names. Other implications of not having a virtual interface are much worse :)
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: IPSec VPN Access Limitations

Fri Aug 19, 2022 10:23 am

I've suggested to the provider to maybe look into something a little simpler, like L2TP/IPSec, as this seems to be their first time implementing IPSec and I don't reckon it's going to work well for them in the long run anyway.

From my side I still need to limit their access to a few random IPs over a few subnets though, which I don't quit know how to do yet. Address lists can only take a single IP or a set range within a subnet and I can't see a way to use multiple address lists in a firewall rule.

Any suggestions on how to accomplish this?

Thanks,
R
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec VPN Access Limitations

Fri Aug 19, 2022 2:34 pm

The very idea of an access list is that it consists of multiple items. So add multiple items with same list value and different address items.
 
User avatar
rules
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Tue Feb 19, 2019 12:10 pm
Location: Cape Town, South Africa

Re: IPSec VPN Access Limitations

Mon Aug 22, 2022 10:25 am

Geez, seems so obvious now, never knew you could add multiple lines with same name.

Thanks sindy

Who is online

Users browsing this forum: Josephny, normis, TeWe and 89 guests