Configuring Firewall Rules for IPSEC / L2TP VPN - Confused

marrold · February 12, 2014, 8:42pm

Hi All,

I’m trying to set up a few IPSEC/L2TP VPN’s, and whilst I’ve successfully setup the VPN in a test environment, I’m struggling to get my head around the Firewall Filters. I have found a previous post here -http://forum.mikrotik.com/t/firewall-filter-on-ipsec-how-to-identify-the-ipsec-intrfce/54082/1 but it’s a lengthy argument with no real outcome.

Essentially I would like to configure my firewall to Only allow IPSEC/L2TP clients into the LAN, and to also specify what they can access. For arguments sake, we’ll say an intranet web server. Is this possible? What needs to be done?

My understanding which is also applied in the above thread, is that IPSEC packets appear to arrive unencrypted on the WAN interface, so you can’t distinguish between packets from the VPN and the public internet? Is this correct?

Thanks again for your continued assistance.

efaden · February 12, 2014, 10:06pm

marrold:

Hi All,

I’m trying to set up a few IPSEC/L2TP VPN’s, and whilst I’ve successfully setup the VPN in a test environment, I’m struggling to get my head around the Firewall Filters. I have found a previous post here -http://forum.mikrotik.com/t/firewall-filter-on-ipsec-how-to-identify-the-ipsec-intrfce/54082/1 but it’s a lengthy argument with no real outcome.

Essentially I would like to configure my firewall to Only allow IPSEC/L2TP clients into the LAN, and to also specify what they can access. For arguments sake, we’ll say an intranet web server. Is this possible? What needs to be done?

My understanding which is also applied in the above thread, is that IPSEC packets appear to arrive unencrypted on the WAN interface, so you can’t distinguish between packets from the VPN and the public internet? Is this correct?

Thanks again for your continued assistance.

The IPSec thing is correct, except that with L2TP you are really using IPSec in transport mode and not tunnel mode so thats not an issue.

You can either create L2TP server bindings or use the bridge/in/out filter parts of the PPP Profile.

-Eric

marrold · February 12, 2014, 10:25pm

I don’t quite follow I’m afraid, but thanks for your input! I know you can create a permanent interface on the L2TP server for a user even though the connection may not be active, is that what you refer to as binding? What if someone were to send traffic over IPSEC that wasn’t encapsulated in L2TP, wouldn’t using L2TP interfaces leave that open to attack?

I’ve not seen the bridge parts before, and having a quick flick through the wiki hasn’t made me any wiser.

Sorry if I’m being dumb, I’m trying to brush up on my overview of VPNs etc. I’ve been using routers for a few years now, but this is my first real play with L2TP / IPSEC.

Thanks again

efaden · February 13, 2014, 12:28pm

marrold:

efaden:

You can either create L2TP server bindings or use the bridge/in/out filter parts of the PPP Profile.
-Eric

I don’t quite follow I’m afraid, but thanks for your input! I know you can create a permanent interface on the L2TP server for a user even though the connection may not be active, is that what you refer to as binding? What if someone were to send traffic over IPSEC that wasn’t encapsulated in L2TP, wouldn’t using L2TP interfaces leave that open to attack?

I’ve not seen the bridge parts before, and having a quick flick through the wiki hasn’t made me any wiser.

Sorry if I’m being dumb, I’m trying to brush up on my overview of VPNs etc. I’ve been using routers for a few years now, but this is my first real play with L2TP / IPSEC.

Thanks again

Look into the bridge, incoming-filter, and outgoing-filter options. See: http://wiki.mikrotik.com/wiki/Manual:PPP_AAA#User_Profiles … I can post more later and see if I can come up with an example. But thats where you want to start.