L2TP/IPSEC server configuration questions

RouterOS Beginner Basics
1

Hi there,

Recently I started to configure my Mikrotik hAP ac as a L2TP/IPSEC server to be able to access my local samba file-server from outside. I’ve found a lot of standard tutorials out there, and basically everything is working OK, but a couple of questions still need to be clarified for me.

  1. The tutorials recommend to add the following two rules to my firewall input chain:
/ip firewall filter
add chain=input action=accept protocol=udp port=1701,500,4500
add chain=input action=accept protocol=ipsec-esp

While the first rule is absolutely clear, the second raises the questions: what is it for, and why is not triggered at all (counters show zeroes), while the IPSEC tunnel is established and working? Can it be removed, or it is necessary for some specific cases?

  1. Some tutorials say, that there may be troubles with IPSEC and FastTrack, and recommend to arrange IPSEC packets marking in order to exclude IPSEC from FastTrack. I have FastTrack enabled in my Mikrotik, and see no problems with L2TP/IPSEC at all, the clients are able to connect and exchange data with the server. Should I nevertheless take care about this, or let it as it is?

Thanks in advance for your help

2

  1. Port 4500 is used to detect NAT traversal. If the client has a public IP and not behind a NAT device, then IPSec will happen over the ipsec-esp protocol. This may be a rare occurrence and maybe you’ll never see the counts increase.

  2. I also never have problems with leaving FastTrack alone. Maybe someone else can comment?

3

I am using IPSEC/IKEv2 and I do not have any ipsec-esp filter.
Am I missing something?

4

Right, all my clients are behind the NAT, and also I have “NAT Traversal” checked in IPsec Peer Advanced configuration. So, I guess ipsec-esp rule could be omitted in this case.

5

Connection is up? Or look on forward chain. from L2tp network to lan network

6

It show 0 counter because Port 500 and IPSec-ESP is the same thing, so you get counter to first role because it has more priority!

7

No, ipsec-esp is IP protocol number 50, while UDP port 500 is IP protocol number 17.