Filter rule for L2TP (but only from IPsec!)

RouterOS General
1

Hello!

For my Mikrotik L2TP+IPsec server I’ve opened that ports:

  • PROTO 50 ESP,
  • Port 500 UDP (ISAKMP),
  • Port 4500 UDP (NAT-T) and…

I need to accept packets to the L2TP service (1701), but not just any packet: only those that are part of a IPSec SA.

This is the right rule over linux:

iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT

Can you help me with Mikrotik syntax instead simple “add chain=eth0 dst-port=1701 protocol=udp” ?

Thanks!

2

Is not possible?
Thanks again

3

You can try to improve your suggestion by connection-state=related, but I’m not sure, if it will work with IPsec.

4

Look at this… http://wiki.mikrotik.com/wiki/Securing_L2TP_Server_for_IPSec

This is the best way to do it.