Community discussions

MikroTik App
 
chatravin
just joined
Topic Author
Posts: 8
Joined: Fri Nov 06, 2015 11:00 am

How to drop packets which are not encrypted in IPSec tunnel?

Sat Nov 06, 2021 4:33 pm

Hi,
I have a MK router with a working IPSec tunnel to a remote site. Some users within a particular source address list e.g. "EncryptedUsers" are defined in IPSec-->Mode Config and IPSec--> Identities to go through this tunnel. My question is: how can I prevent packets of those users from going to the default gateway in situations where IPSec tunnel is down.
Is there any way to detect and drop unencrypted packets in firewall filter rules?
thanks in advance.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: How to drop packets which are not encrypted in IPSec tunnel?

Sat Nov 06, 2021 6:35 pm

To build a IPSEC connection you need UDP 500 and 4500. The you could filter traffic from that and encripted traffic is recognised with ipsec-policy=in,ipsec and traffic not being that is not encrypted.

Secondly you can search this forum for "kill swtch"
 
chatravin
just joined
Topic Author
Posts: 8
Joined: Fri Nov 06, 2015 11:00 am

Re: How to drop packets which are not encrypted in IPSec tunnel?

Wed Nov 10, 2021 9:09 am

thanks for the clue deer @msatter , I searched the key words and found useful tips on this topic in the wiki:
https://wiki.mikrotik.com/wiki/Manual:I ... are%20some
https://wiki.mikrotik.com/wiki/Manual:I ... ult%3A%20)
 
phamsyhung
just joined
Posts: 4
Joined: Wed Dec 16, 2020 10:15 am

Re: How to drop packets which are not encrypted in IPSec tunnel?

Wed Nov 10, 2021 9:56 am

I have a problem when packets travel through tunnel site to site
Site 1: Cisco router
Host A1: 192.168.10.1/24 belong to vlan 10 created in switch
Tunnel: 1.2.1.1
Site 2: Mikrotik Router
Host B2: 192.168.20.1/24 belong to vlan 20 created in switch
Tunnel: 1.2.1.2

-2 sites tunnel and run OSPF together, site 1 is cisco router, site 2 is mikrotik, about routing there is no problem but when packets, for example when pinging from a host in site 2 to site 1, use wireshark to capture packets will see all the IP of the tunnel interface sent through, even if I creates a new network that hasn't advertised to ospf or routed anything, it can still ping site 1 (using ping .... src-address =....) but all packets will have the source IP of the tunnel interface. I don't know what the problem is, because it's related to my access list, I want to permit only some IPs from another site. , but only need IP permit of tunnel interface, all IPs can ping through site 1 (site with Cisco router).
For an example: When I pinging from host B2 to host A1, I will check the packets through interface vlan 10,and it have source IP is 1.2.1.2 Although in theory it should be the IP of host b2(192.168.20.1).It caused the access list can not filter that packet correctly.
-Because of tunnel theory, I find this case a bit ridiculous, while site 1 and site 3 (both are cisco) don't have this problem. Anyone who has encountered this situation can explain it to me?

Who is online

Users browsing this forum: anav, boocko, kolopeter, Michiganbroadband and 74 guests