Hi,
We have configured IPSEC/L2TP according to the following document:
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP
We have confirmed that it works correctly, and sniffing packets confirms that only ESP packets are being delivered to the Mikrotik terminating the IPSEC/L2TP tunnel, confirming anyone intercepting the packets will have no idea what they are for.
However, because the Mikrotik will also accept an unencrypted L2TP client (with the correct username password), which we most certainly don’t want, we attempted to apply firewall rules to the Mikrotik to deny L2TP (UDP 1701).
We found that although we know that only ESP packets are arriving at the Mikrotik, the filter rules are detecting L2TP, and are dropping the packets. It was also confirmed that a similar rule in the mangle prerouting chain had the same effect.
It appears that the Mikrotik is decrypting the L2TP from the ESP before applying the filter rules, meaning the rule cannot differentiate between encrypted and unencrypted L2TP.
We would be very grateful to anyone who can suggest a way around this problem.
Please accept our thanks in advance,
CAnder1