New RB4011 serving as the edge router in our configuration. L2TP/IPSec VPN tunnel from outside the network setup works, but appears to be very different than some of the others that I have seen posted (using proposals, etc.).
- Is there something glaringly wrong with this setup and/or is there a more correct way to do this?
- How do I know it’s using the hw acceleration for the IPsec?
- I have a few questions on some of the filter rules embedded as comments below.
Thanks!
/ip pool
add comment="pool for vpn connections" name=vpn ranges=\
10.10.128.2-10.10.128.15
/ip address
add address=10.10.128.1/24 network=10.10.128.0
/ppp secret
add name=MyName password=MyPassword
/ppp profile
set *0 local-address=10.10.128.1 remote-address=vpn
/interface l2tp-server server
set allow-fast-path=yes default-profile=default enabled=yes ipsec-secret=MySecret \
use-ipsec=required
/ip firewall filter
# disabled these 2 default filters since they had 0 packets
# what are these for?
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
...
add action=accept chain=input comment="For L2TP/IPSec" port=1701,500,4500 \
protocol=udp
# is this one necessary, seems to have 0 packets
add action=accept chain=input comment="For L2TP/IPSec" disabled=yes protocol=\
ipsec-esp
# added this one so I could find my router on a PPP connection.
# is this the right way, or can I lock it down more to use just the dynamic
# interface that is created when I am authenticated? I tried, but once
# the session ends it goes to "no interface"
add action=accept chain=input in-interface=all-ppp
Much appreciated.