190
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
large packets with
don't fragment
flag will not be able to pass the router
inherit
- do not change the field
set
- set the field, so that each packet matching the rule will not be fragmented. Not recommended
dst-address
(
IP address
/
netmask
:
port
; default:
0.0.0.0/32:any
) - destination IP address
dynamic
(
read-only: flag
) - whether the rule has been created dynamically
in-accepted
(
integer
) - how many incoming packets were passed through by the policy without an
attempt to decrypt
in-dropped
(
integer
) - how many incoming packets were dropped by the policy without an attempt to
decrypt
in-transformed
(
integer
) - how many incoming packets were decrypted (ESP) and/or verified (AH) by
the policy
inactive
(
read-only: flag
) - whether the rule is inactive (it may become inactive due to some
misconfiguration)
ipsec-protocols
(
multiple choice:
ah | esp; default:
esp
) - specifies what combination of Authentication
Header and Encapsulating Security Payload protocols you want to apply to matched traffic. AH is applied
after ESP, and in case of tunnel mode ESP will be applied in tunnel mode and AH - in transport mode
level
(unique | require | use; default:
require
) - specifies what to do if some of the SAs for this policy
cannot be found:
use
- skip this transform, do not drop packet and do not acquire SA from IKE daemon
require
- drop packet and acquire SA
unique
- drop packet and acquire a unique SA that is only used with this particular policy
manual-sa
(
name
; default:
none
) - name of manual-sa template that will be used to create SAs for this
policy
none
- no manual keys are set
out-accepted
(
integer
) - how many outgoing packets were passed through by the policy without an
attempt to encrypt
out-dropped
(
integer
) - how many outgoing packets were dropped by the policy without an attempt to
encrypt
out-transformed
(
integer
) - how many outgoing packets were encrypted (ESP) and/or signed (AH)
ph2-state
(
read-only:
expired | no-phase2 | established) - indication of the progress of key establishing
expired
- there are some leftovers from previous phase2. In general it is similar to
no-phase2
no-phase2
- no keys are estabilished at the moment
estabilished
- Appropriate SAs are in place and everything should be working fine
priority
(
integer
; default:
0
) - policy ordering classificator (signed integer). Larger number means higher
priority
proposal
(
name
; default:
default
) - name of proposal information that will be sent by IKE daemon to
establish SAs for this policy
protocol
(
name
|
integer
; default:
all
) - IP packet protocol to match
sa-dst-address
(
IP address
; default:
0.0.0.0
) - SA destination IP address (remote peer)
sa-src-address
(
IP address
; default:
0.0.0.0
) - SA source IP address (local peer)
src-address
(
IP address
/
netmask
:
port
; default:
0.0.0.0/32:any
) - source IP address
tunnel
(yes | no; default:
no
) - specifies whether to use tunnel mode
All packets are IPIP encapsulated in tunnel mode, and their new IP header
src-address
and
dst-
address
are set to
sa-src-address
and
sa-dst-address
values of this policy. If you do not use tunnel
mode (id est you use transport mode), then only packets whose source and destination addresses are the
same as
sa-src-address
and
sa-dst-address
can be processed by this policy. Transport mode can only
work with packets that originate at and are destined for IPsec peers (hosts that established security
associations). To encrypt traffic between networks (or a network and a host) you have to use tunnel
mode.
It is good to have
dont-fragment
cleared because encrypted packets are always bigger than original
and thus they may need fragmentation.
If you are using IKE to establish SAs automatically, then policies on both routers must exactly match
each other, id est
src-address=1.2.3.0/27
on one router and
dst-address=1.2.3.0/28
on another
would not work. Source address values on one router MUST be equal to destination address values on
the other one, and vice versa.