I have a working ikev2 vpn connection setup on my ros.
Every tutorial says i need to allow ports 500, 4500 UDP and IPSec ESP on input chain. Some tutorials even say port 1701 UDP needs to be opened on input chain.
Than why is my connection working completely even if I don't allow 1701 nor IPSec esp, but only 500 and 4500? I allow IPSec on forward chain, though.

I have a working ikev2 vpn connection setup on my ros.
Every tutorial says i need to allow ports 500, 4500 UDP and IPSec ESP on input chain. Some tutorials even say port 1701 UDP needs to be opened on input chain.
Than why is my connection working completely even if I don't allow 1701 nor IPSec esp, but only 500 and 4500? I allow IPSec on forward chain, though.

Port 1701 UDP is for the L2TP ppp connection only !

Okay, 50% of mystery solved
Why is then my connection working even while I'm not allowing ipsec protocol (50) on input chain?

Okay, 50% of mystery solved
Why is then my connection working even while I'm not allowing ipsec protocol (50) on input chain?

Are you sure ? When you are activated IKE (ISAKMP) these protocols /50 and 51/ are allowed automatically /unless you explicitly disallow them/ !

Okay.... never easy with MT.
There are two ways of letting ipsec connections through. Allow protocol 50 or connections with in ipsec policy.
When I'm trying with the first option, vpn connects but connections somehow do not get through. If i do it with second type rule, then everything is fine... any ideas why this happens?

Okay.... never easy with MT.
There are two ways of letting ipsec connections through. Allow protocol 50 or connections with in ipsec policy.
When I'm trying with the first option, vpn connects but connections somehow do not get through. If i do it with second type rule, then everything is fine... any ideas why this happens?

I can not understand exactly what you are trying to setup - sorry for that.
Find out what you want first ! IPSec have two modes and two formats basically - tunnel or transport mode with ESP or AH format . Just understand the principle of working in each of the four types.

Okay, 50% of mystery solved
Why is then my connection working even while I'm not allowing ipsec protocol (50) on input chain?

IPsec works as follow:

* IKE (Internet Key Exchange) protocol is used to set up a security association (SA) by agreeing in short term crypto parameters. IKE requires UDP port 500
* Packets are then exchanged used protocol some ip protocols like ESP, AH and/or IPCOMP
As you can see, esp is protocol 50, ah is 51 and ipcomp is 108. I have never seen any one to use ipcomp. Re: ah, it is usually used when you want to guarantee integrity without caring for confidentiality, again not often.

As in the small IPv4 world adreeses and ports are scarce, and existing infrastructure cannot often deal with opening protocols, the standard have NAT traceversal provisions: if the machines sees that protocols are not working, they encapsulate every proto 50,51 or 108 packet in a UDP packet using port 4500. There are good techniques for "punching holes" in firewalls and traversing NAT servers using UDP.
So, for a working IPsec you need either UDP port 500 and protocol 50 or UDP ports 500 and 4500.

I'm using both approaches:
* naked IPsec for hosts on public IPs that allows protocol 50
* NAT-Traversed IPsec for road warriors and other connections.

Hi,

I have question about ikev2.

I use Strongswan ikev2 on RaspberryPi.

MicroTik router have IP 192.168.178.1
RaspberryPi 192.168.178.11
pool for VPN is set to 192.168.179.200-245
I have open ports 500 and 4500.

If I connect over other network VPN works fine. What should I set, that devices can also access VPN server over LAN?