Yes, when establishing an IPsec tunnel in MikroTik, it is recommended and often necessary to configure specific firewall rules. These rules are important for several reasons, including securing the tunnel, allowing IPsec traffic through the firewall, and protecting your network.
We explain what types of rules are usually necessary and why:
1. Allow IPsec Traffic
In order for IPsec traffic to flow through your MikroTik device and establish the tunnel correctly, you need to ensure that the firewall allows the protocols and ports used by IPsec. This usually includes:
- ESP (Encapsulating Security Payload): Allow IP 50 protocol traffic, used by ESP to provide confidentiality, authentication and integrity.
- AH (Authentication Header): Allow IP 51 protocol traffic, if AH is used in your IPsec configuration to provide authentication and integrity without confidentiality.
- IKE (Internet Key Exchange): Allow UDP traffic on port 500 (and possibly port 4500 for NAT-T) for IKE, which is used for key exchange and security association negotiation.
2. Secure the Tunnel
In addition to simply allowing IPsec traffic, you may want to create rules to limit traffic through the tunnel to certain types of traffic or to certain IP addresses to increase security. This may include rules for:
- Allow only certain types of traffic through the tunnel.
- Restrict access through the tunnel to only certain IP addresses or subnets.
3. Attack Protection
It is important to consider rules to protect your device and network against attacks that could be facilitated through the IPsec tunnel. This could include:
- Limit connection attempts to the VPN to prevent brute force attacks.
- Block anomalous or unwanted traffic that should not be present in the tunnel.
Example Firewall Rule to Allow IKE and ESP:
plaintextCopy code/ip firewall filter
add chain=input protocol=udp dst-port=500 action=accept comment="Allow IKE for IPsec"
add chain=input protocol=ipsec-esp action=accept comment="Allow ESP for IPsec"
Final Considerations:
- Order of the Rules: The order in which you place your rules on the firewall is important. Rules are processed from the top down, so you should place specific rules before more general rules to avoid conflicts or unwanted blocking.
- Monitoring and Maintenance: Once the IPsec tunnel and corresponding firewall rules are configured, it is good practice to monitor tunnel traffic and performance, as well as periodically review the firewall rules to adjust them as necessary.
Properly configuring firewall rules on your MikroTik device is crucial to the success and security of your IPsec tunnel.
There are no tags for this post.