Hi guys.
I managed to configure IPSec with L2TP and added 2 users:
- user1 has access to all systems in LAN
- user2 should have only access to a single IP from LAN.
I didn’t find anything related how to limit the access to that specific IP or I don’t know what should I search.
Thank you in advance!
The current config for VPN is:
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des pfs-group=none
/ip pool
add name=vpn ranges=192.168.88.42-192.168.88.60
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 interface-list=WAN2 local-address=192.168.88.1 name=l2tp-vpn remote-address=vpn use-encryption=yes
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 enabled=yes ipsec-secret=*************** max-mru=1460 max-mtu=1460 use-ipsec=required
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=accept chain=input comment=“allow L2TP VPN (ipsec-esp)” in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment=“allow L2TP VPN (ipsec-ah)” in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=input comment=“allow L2TP VPN (1701/udp)” dst-port=1701 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=“allow L2TP VPN (4500/udp)” dst-port=4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=“allow L2TP VPN (500/udp)” dst-port=500 in-interface-list=WAN protocol=udp
/ppp secret
add name=user1 password=****************** profile=l2tp-vpn
add name=user2 password=****************** profile=l2tp-vpn