Community discussions

MikroTik App
 
FPnut
just joined
Topic Author
Posts: 12
Joined: Mon Nov 18, 2019 9:09 am

Understanding IPSec packet flow

Tue Mar 24, 2020 1:51 pm

Hi, I'm curious about the ipsec packet flow, as I need to set up firewall rules for my ipsec site-to-site tunnel.

In the packet flow diagram, the ipsec decryption show the encrypted packet is decrypted first, then goes back into the input chain.
When the encrypted packet is received at the first step, the source address of the packet is the remote router public ip.
After it is decrypted, does the source ip remain the same as the remote router public ip, or does it change to the server router internal ip?

Image
 
msatter
Forum Guru
Forum Guru
Posts: 1464
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Understanding IPSec packet flow

Tue Mar 24, 2020 1:58 pm

Encrypting/decrypting is only changing the content of the package
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.47.beta.x / Winbox 3.21 / MikroTik APP 1.3.12
NordVPN viewtopic.php?f=2&t=158439&p=781009 for multiple connections.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1757
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Understanding IPSec packet flow

Tue Mar 24, 2020 2:06 pm

As far as the IPsec tunnel is concerned, each site will see each others public IPs...
When you try to reach lets say a local computer inside the tunnel, then that computer will see the traffic coming from the Router itself...
In the case of an L2TP / IPsec tunnel for instance, when you try to reach a device in the other side of the tunnel, that device will ofcorse not see any Public IPs...
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Understanding IPSec packet flow

Tue Mar 24, 2020 5:57 pm

It depends on what the remote side is sending. If you have transport mode IPSec (e.g. for L2TP/IPSec), decrypted packet (L2TP) will have same addresses as encrypted (unless it's changed by NAT). If you have tunnel mode IPSec (e.g. LAN to LAN tunnel), decrypted packet will have the source address of remote device in LAN (it it came from it) and destination address will be device on local LAN, while encrypted packets will have remote router as source and local router as destination.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
szymonzdziabek
just joined
Posts: 10
Joined: Wed Mar 25, 2020 1:01 pm
Location: Poland

Re: Understanding IPSec packet flow

Wed Mar 25, 2020 11:00 pm

Hello,
I have very similar doubt that regards IPsec traffic.

Let's analyse the encryption. Do we have on the upper diagram a situation when a packet has destination address that belongs to the second side of the IPsec tunnel? If so, it goes through FORWARD chain (step 3) and then if it belongs to IPsec policy, is encrypted. Does it means only encryption? If so, does it leave the routing through the "L" point, only then is encapsulated and comes again to the routing through the "K" point? Or maybe all things that belongs to the IPsec process are done directly in the box "IPSEC ENCRYPTION" and after leaving "L" point that packet goes directly to the physical output interface?
@Sob, what you wrote means that encryption and encapsulation is done in just one step, right?

Image
 
Zacharias
Forum Guru
Forum Guru
Posts: 1757
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Understanding IPSec packet flow

Thu Mar 26, 2020 12:09 am

This is how IPsec works!!!
IPsec has as @sob said two modes, one is the Tunnel mode and the second is the Transport Mode...
Tunnel mode is used in site to site VPNs, between Gateways in simple words and is the default mode while Transport mode is used for client to site VPNs or end to end, between a computer and a Gateway...
Now, the Tunnel mode adds a New IP Header in front of the IP header of the originating packet...
In transport mode no new IP header is added, so the IP stays the same... Unless as @sob said NAT is perforfmed...
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Understanding IPSec packet flow

Thu Mar 26, 2020 12:23 am

There's this very nice thread with interesting details:

Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Don't take the warning at the beginning lightly. :)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
szymonzdziabek
just joined
Posts: 10
Joined: Wed Mar 25, 2020 1:01 pm
Location: Poland

Re: Understanding IPSec packet flow

Thu Mar 26, 2020 12:45 am

I know the IPsec quite well and all the things both of you mentioned are of course correct, but as I wrote I have doubt how it is carried out in MT devices. The IPsec packet in the tunnel mode goes only once to the "routing decision" box or twice? In the other words - is the decryption and decapsulation (or encryption and encapsulation) done in the very same moment?
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Understanding IPSec packet flow

Thu Mar 26, 2020 12:52 am

Yes. Look at images in first post, they show all steps. Green is non-encrypted, yellowish is encrypted.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
szymonzdziabek
just joined
Posts: 10
Joined: Wed Mar 25, 2020 1:01 pm
Location: Poland

Re: Understanding IPSec packet flow

Thu Mar 26, 2020 9:33 am

I've been looking at this diagram for few months ;P. So at the point 7 in the encryption diagram the packet is fully encrypted and encapsulated at the same time? I'm in doubt because on the general packet flow diagram there is also box: ENCAPSULATION (TUNNEL).
 
Sob
Forum Guru
Forum Guru
Posts: 5416
Joined: Mon Apr 20, 2009 9:11 pm

Re: Understanding IPSec packet flow

Thu Mar 26, 2020 10:42 am

Second routing decision between steps 7 and 8 wouldn't make sense if the packet still had original addresses. You can always do an experiment, add some logging rules in postrouting and see how many times it will pass through there.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1757
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Understanding IPSec packet flow

Thu Mar 26, 2020 8:53 pm

If you see the Traffic flow diagram at your first post, the encapsulation will happen after the Routing Takes place.. Just Before the packet leaves the router...

Who is online

Users browsing this forum: jamrobe, UnderRaBi and 105 guests