Page 1 of 1

Questions about ipsec

Posted: Fri May 26, 2023 12:57 am
by h2desk
Hey, guys.
Before I start, thanks for taking the time to read my question.

I wanted to know if it is possible to make some of these configurations in IPsec. These are unrelated questions. Plucked from scenarios of my imagination from my creative mind like a donkey.

1 - In IPsec settings, when you use IKEv2 Roadwarrior, you have an assigned IP. Is it possible to put it as static on the client side?

2 - Is it possible to use 0.0.0.0/0 in policies for both scr and dst and control output via mangle rule?

3 - Is it possible to use the mangle rule to define which output gateway to use to close the tunnel? Leave the peer's local address blank.

Last doubt. Focused on understanding what this function is in MK. In the firewall rules have the option ipsec policy, in or out, none or ipsec.
What is it for?
Which scenario would I use?
Is it possible to create my policy and leave it in and out?

Re: Questions about ipsec

Posted: Tue May 30, 2023 7:24 am
by Kentzo
1 - In IPsec settings, when you use IKEv2 Roadwarrior, you have an assigned IP. Is it possible to put it as static on the client side?
I don't think it's necessary to supply a "virtual" IP via Mode Config as long as the client can handle it. Builtin desktop / mobile OS clients usually cannot and expect an IP to be assigned to them by the responder.
2 - Is it possible to use 0.0.0.0/0 in policies for both scr and dst and control output via mangle rule?
How would a mangle rule change a packet to avoid 0.0.0.0/0? There are no VTIs for IPsec tunnels on RotuerOS.
Last doubt. Focused on understanding what this function is in MK. In the firewall rules have the option ipsec policy, in or out, none or ipsec.
Think about it as DPI: you can distinguish packets inside IPsec. Consider a WAN interface where you want only IPsec traffic. You'd use these options to accept out/ipsec and in/ipsec while dropping the rest.

Re: Questions about ipsec

Posted: Wed May 31, 2023 5:42 pm
by h2desk
1 - In IPsec settings, when you use IKEv2 Roadwarrior, you have an assigned IP. Is it possible to put it as static on the client side?
I don't think it's necessary to supply a "virtual" IP via Mode Config as long as the client can handle it. Builtin desktop / mobile OS clients usually cannot and expect an IP to be assigned to them by the responder.
2 - Is it possible to use 0.0.0.0/0 in policies for both scr and dst and control output via mangle rule?
How would a mangle rule change a packet to avoid 0.0.0.0/0? There are no VTIs for IPsec tunnels on RotuerOS.
Last doubt. Focused on understanding what this function is in MK. In the firewall rules have the option ipsec policy, in or out, none or ipsec.
Think about it as DPI: you can distinguish packets inside IPsec. Consider a WAN interface where you want only IPsec traffic. You'd use these options to accept out/ipsec and in/ipsec while dropping the rest.


I understood. Okay, thanks for the information and your time.
I will try to see the issue of item three. Achieving forces the traffic generated by the Mikrotik itself to leave the given link.
I still didn't get the mangle output rules right in my test.