IPSec transport mode (block unencrypted traffic)

grg · March 29, 2011, 5:32pm

Is there a way to set up firewall rules, that would only allow connection if it’s encrypted? I’m asking this because to be able to use IPSec/L2TP I have to allow L2TP (UDP 1701) port for incoming connections on public interface. However there is no way I can make sure that L2TP connection is actually encrypted by IPSec. There was similar problem addressed in 2009 and it seems that no solution was provided: http://forum.mikrotik.com/t/ipip-over-ipsec-how-to-block-unencrypted-traffic/26928/1

Any advice is highly appreciated.

Thanks.

grg

jtroybailey · March 29, 2011, 9:31pm

this should do it:

add action=encrypt disabled=no dst-address=1.1.1.1/32 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
    sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=\
    2.2.2.2/32 src-port=any tunnel=no