IPSec/L2TP

abis · October 8, 2019, 12:47pm

Hello, I found that post https://serverfault.com/questions/451381/which-ports-for-ipsec-lt2p and I want to increase my ports input security. At this moment i have that rules for IPSec/L2TP

chain=input action=accept protocol=udp in-interface=ether1 dst-port=500,1701,4500 log=no log-prefix="" 
chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 
chain=input action=accept protocol=ipsec-ah log=no log-prefix=""

But in post In post I read “Port 1701 is used by the L2TP Server, but connections should not be allowed inbound to it from outside. There is a special firewall rule to allow only IPSEC secured traffic inbound on this port.”
The question is: How I can translate this rule in MikroTik?

iptables -A INPUT -i $EXT_NIC -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT

Thank you guys!

StubArea51 · October 8, 2019, 5:22pm

You’ll probably need a bit of trial and error with this one but I think this is a fairly close translation into RouterOS from iptables

/ip firewall filter
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp src-port=500

Sob · October 8, 2019, 6:13pm

What you’re looking for is ipsec-policy matcher:

/ip firewall filter
add chain=input action=accept protocol=udp dst-port=1701 ipsec-policy=in,ipsec

And remove 1701 from the other rule, because that would allow also unencrypted L2TP.

abis · October 9, 2019, 8:01am

Thank you for reply! I’ll start to test yours suggestions.

Great day!