MikroTik Tutorial: Firewall ruleset for IPsec whitelisting

This article will show you how to setup a firewall whitelist for IPsec peer associations on a MikorTik router. The firewall ruleset will make use of address-lists to allow UDP 500 traffic only from trusted networks.

The address list for trusted networks will be called ipsec-trusted-nets and all other hosts that attempt IPsec traffic will be added to the list ipsec-uninvited.

Here are the firewall input rules

Please Note: This is not a complete firewall ruleset, only the rules relevant to whitelist/blacklist IPsec traffic to the router.

/ip firewall filter
add action=add-dst-to-address-list address-list=ipsec-uninvited \
    address-list-timeout=4w2d chain=input comment=\
    "Add unknown IPsec attempts to \"ipsec-uninvited\" list" connection-state=new \
    dst-port=500 in-interface=ether1 protocol=udp src-address-list=\
    !ipsec-trusted-nets
add action=accept chain=input comment=\
    "Allow UDP:500 from \"ipsec-trusted-nets\" list" dst-port=500 in-interface=\
    ether1 protocol=udp src-address-list=ipsec-trusted-nets
add action=accept chain=input comment=\
    "Allow UDP:4500 to ADDRESS-LIST:ipsec-trusted-nets" dst-port=4500 in-interface=\
    ether1 protocol=udp src-address-list=ipsec-trusted-nets
add action=drop chain=input comment="Deny UDP:500 from \"ipsec-uninvited\" list" \
    dst-port=500 in-interface=ether1 log=yes log-prefix=ipsec-uninvited protocol=udp \
    src-address-list=ipsec-uninvited

Decision Flowchart

This technique will limit the total attack surface of your public facing IPsec VPN router. I know that all of my IPsec clients will be coming from one class A subnet (owned by one of the major wireless carriers) so I’ve added it to the ipsec-trusted-nets address list. The same technique can be used to whitelist/blacklist other protocols such as SSH.

If you found this articles useful please take a moment to share it on twitter! Join the conversartion by writing a comment below or check my other Mikrotik Tutorials.