L2TP Security

RouterOS General
1

So, two issues:

  1. Prevent people from logging on via L2TP and their PPP credentials without first connecting via IPSec.
    I assume that blocking [or not allowing depending on your POV] port 1701 UDP on the external IF [or any interface you don’t want someone making a regular L2TP connect from] should be sufficient.

However, since IPSec traffic is going to look like it’s coming directly from the WAN ethernet port - how to do this? [This is why we desperately need a “normal” IPSec implementation to allow us to match it in filter rules by an interface like IPTables on Linux does!]

So,
I can’t filter on interface.
I can’t filter based on IP [since it’s going to be the publicly routed IP address of the connecting client.]
I can’t filter on Port [Obviously I can’t just block UDP 1701 - that will block everything.]

So, how to generate a rule that allows L2TP over IPSec, but not alone?

  1. Prevent IPSec connections on the associated peer, that aren’t L2TP connections.
    [i.e. I don’t want a user to take the PSK for the L2TP setup, plonk that into a straight IPSec tunnel/tap and bypass L2TP into the system.]
    I should note that my “peer” config is Address: 0.0.0.0/0, using a PSK not certificate and using the Main/L2TP exchange mode - which allows for main mode exchange, with a PSK.

I can’t think of any good ways to accomplish this. Does anyone else know of a way that would be effective?

The reason I need this is:
I have multiple L2TP users. I can’t setup multiple peer’s all with different PSK’s all with 0.0.0.0/0 addresses, since IPSec won’t know how to handle that correctly.

So, if I’ve got 20 people all using the same PSK, I really don’t want to change it. So, if I can be sure that you can’t build an IPSec tunnel routed/tapped without the PPP/L2TP credentials - then I don’t have to worry [as much] about changing the IPSec PSK should a user with the PSK, say loses their laptop - since the PSK doesn’t get you anything without also having the PPP credentials.

So, in the case of a lost device - revoke/change the PPP credentials and you’re good.

The only other alternative would be some way to “serialize” the IPSec tunnel for each user so each user could have their own PSK or certificate based tunnel. [Note: The solution has to work on Windows with the native L2TP client.]

-Greg