Hi, I’m quite new to this router but I am trying to learn.
I note this in the log when somebody establishes an L2tp connection to my router:
ISAKMP-SA established x.x.x.x[500]-y.y.y.y[500] spi:62642b242ca30bda:d7c759b31a71a188 where ‘x.x.x.x’ is router and ‘y.y.y.y’ is client.
The question is how do I make a firewall rule that will capture this entry. My goal is to list all accepted connections above and list the client addresses.
Another is that I noticed that the above is established first before the actual l2tp connection is made. With that in mind, I can use the info to stop unknown addresses from doing a first phase l2tp connection by dropping them if not in the accepted list.
I’ve looked at the manual and tried capturing tcp, ipsec-esp, ipsec-ha from the protocol field by making a rule and log but it is not being triggered. Tried also the content field using ISAKMP but failed.
Any help in pointing me in the right direction is appreciated.
The ISAKMP exchange uses UDP. So a rule like /ip firewall filter add chain=input in-interface-list=WAN protocol=udp dst-port=500 action=log log-prefix=“incoming IPsec request”
placed after the chain=input connection-state=established,related,untracked action=accept one will log the initial packet of each new connection attempt.
But the rule above won’t distinguish between successful attempts (which actually established the connections) and failed ones (which couldn’t authenticate and therefore connect). To do that, you would need to use some kind of state automaton - you would temporarily add the source address of the initial packet to an address list in addition to logging it (so you would modify the above rule: action=add-src-to-address-list address-list=incoming-ipsec address-list-timeout=2s log=yes), and you would add another rule to mangle: /ip firewall mangle add chain=prerouting src-address-list=incoming-ipsec connection-bytes=2000-2500 action=log log-prefix=“successful IPsec connection”
(the actual connection size limits have to be found so that really only succesful connections are logged, and on the other hand that only one packet is logged per connection; another possibility would be to use another address list to prevent already logged connections from being logged again).
Regarding the prevention, the question is whether you know the IP addresses of the allowed clients in advance. If you do, it is easy to add src-address-list=permitted-l2tp-clients to the existing filter rule allowing incoming connections to UDP port 500, but you usually don’t as the clients use mobile networks or dynamic addresses.
Seems what I want to establish is harder than I thought but I thank you for pointing me in the right direction. Will play around with the UDP500 idea that you gave as well as the mangle rule.