Community discussions

MikroTik App
 
Z0ltan
newbie
Topic Author
Posts: 35
Joined: Sat Dec 15, 2018 3:07 pm

IPSEC/IKEv2 limit the IPSEC allow rule

Mon Dec 06, 2021 4:27 pm

Running 7.1 since yesterday here on RB4011, but the question is not related to v7; there is a default firewall rule on the RB4011 which drops all inbound traffic not coming from the "LAN" interface list. If you want to use IPSEC IKEv2 VPN, that rule will block the VPN traffic because there is no interface defined for IKEv2, hence it cannot be added to the LAN interface list and the rule will drop the traffic. The generic way to overcome that is by adding an "accept" rule on top of it, but again since there is no interface for IKEv2, you have to allow inbound traffic from the WAN interface to make the VPN work. This would technically allow traffic from the same IP ranges come in without the IPSEC VPN (so e.g. an attacker who could send traffic to your router using those same IP addresses that you use on your VPN would be able to access your internal network), is that right? If yes, would it be possible to somehow further restrict that rule (e.g. mangle the packets which are coming/going from the IPSEC tunnel and only allow those)? I'm looking for ideas how the firewall rule behind the IKEv2 traffic could be further secured.
Last edited by Z0ltan on Mon Dec 06, 2021 7:45 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPSEC/IKEv2 limit the IPSEC allow rule

Mon Dec 06, 2021 5:35 pm

You're looking for ipsec-policy=in,ipsec.
 
Z0ltan
newbie
Topic Author
Posts: 35
Joined: Sat Dec 15, 2018 3:07 pm

Re: IPSEC/IKEv2 limit the IPSEC allow rule

Mon Dec 06, 2021 6:03 pm

So that's in the forward chain not input; so I guess that as long as I filter out services on the device itself not to be accessible from the VPN, there's nothing else I can do?

Or you think I could add that same requirement to the rule in the input chain? Not sure how to interpret your response.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: IPSEC/IKEv2 limit the IPSEC allow rule

Mon Dec 06, 2021 6:48 pm

VPN traffic is encrypted. If an attacker send you traffic which can't be decrypted by the router.

I allow traffic coming from the IP I heve the tunnel up in RAW. I then mark it as no-track and if the encryption has the correct key it will made normal traffic.

Sometimes traffic (decrypted) comes in that is from the previous user of that IP with the VPN provider and I can drop that because I don't use those incoming ports and the rest is taken care of by connection-tracking.
 
Z0ltan
newbie
Topic Author
Posts: 35
Joined: Sat Dec 15, 2018 3:07 pm

Re: IPSEC/IKEv2 limit the IPSEC allow rule

Mon Dec 06, 2021 6:56 pm

I was thinking on the attacker sending regular unencrypted traffic from the same network that I use for VPN via the WAN interface (e.g from the ISP) and how to stop that. The "Allow 192.168.11.x" or similar seems too broad for the WAN interface to me.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPSEC/IKEv2 limit the IPSEC allow rule

Mon Dec 06, 2021 7:06 pm

Two things. If you want VPN itself to work, ports used by server need to be accessible. For IPSec it's udp ports 500 and 4500 and protocol 50 (ipsec-esp). That's in input. And to distinguish encrypted traffic from tunnel, that's what ipsec-policy=in,ipsec is for. Works for both input and forward.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: IPSEC/IKEv2 limit the IPSEC allow rule

Mon Dec 06, 2021 7:26 pm

This kind of traffic?

It tries to SYNC despite there is not service running on that port. I have this rule in Filter:
add action=drop chain=input connection-state=!established,related dst-port=!xx,xxx,xxx in-interface-list=WAN log=yes log-prefix=NOservices protocol=tcp
Last edited by msatter on Mon Dec 06, 2021 8:17 pm, edited 2 times in total.
 
Z0ltan
newbie
Topic Author
Posts: 35
Joined: Sat Dec 15, 2018 3:07 pm

Re: IPSEC/IKEv2 limit the IPSEC allow rule  [SOLVED]

Mon Dec 06, 2021 7:45 pm

Hm, something really strange happened because it looks like I no longer need the rule. Wonder why I needed it beforehand, anyway, I'll mark this topic as solved.

I'll try to ask the question differently. Below is the default ruleset for the ipv4 firewall on 7.1:
                     /ip firewall {
                       filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
                       filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
                       filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
                       filter add chain=input action=accept src-address=192.168.77.0/24 comment="VPN inbound"
                       filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
                       filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
                       filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
                       filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
                       filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
                       filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
                     }
What rule would you add to support IPSEC IKEv2 VPN client traffic from 192.168.77.x/24? I needed that accept rule to see traffic but it looks like my VPN now works without that rule; must have been some sort of error on my end.

Thank you all for your posts!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPSEC/IKEv2 limit the IPSEC allow rule [SOLVED]

Mon Dec 06, 2021 9:06 pm

If this router is VPN server (clients connect to it), then you want (before the last drop in input chain):
/ip firewall filter
add chain=input dst-port=500,4500 protocol=udp action=accept
add chain=input protocol=ipsec-esp action=accept
If VPN clients should access router itself (via encrypted tunnel), then:
/ip firewall filter
add chain=input ipsec-policy=in,ipsec action=accept
Incoming traffic from VPN clients to LAN is already covered by first rule in forward chain. And the second one is for outgoing traffic to VPN clients. If you want further filtering and not allow everything from/to VPN clients, you can change them to jumps and then subchains are almost like if you have interface for IPSec, e.g.:
/ip firewall filter
add chain=forward ipsec-policy=in,ipsec action=jump jump-target=ipsec-in comment="VPN->LAN"
add chain=forward ipsec-policy=out,ipsec action=jump jump-target=ipsec-out comment="LAN->VPN"
add chain=ipsec-in protocol=tcp dst-port=3389 action=accept comment="all clients can access RDP"
add chain=ipsec-in src-address=192.168.77.100 comment="this client can access everything"
...
add chain=ipsec-in action=drop comment="nothing else is allowed"
add chain=ipsec-out dst-address=192.168.77.200 comment="allow access to client"
...
add chain=ipsec-out action=drop comment="nothing else is allowed"
Finally your:
/ip firewall filter
add chain=input action=accept src-address=192.168.77.0/24 comment="VPN inbound"
is not great, because it doesn't care whether it's encrypted traffic or not. But as long as IPSec peer is enabled and there's policy for 192.168.77.0/24, non-encrypted traffic from 192.168.77.0/24 from other sources will be filtered anyway.

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], JDF, johnson73, ramirez and 70 guests