My PCI compliance scans against our Mikrotik hardware are coming back with failure due to our L2TP tunnels supporting 3des in Phase1. The problem is that I can’t change the dynamic phase1 policy. Does anyone know a way to disable proposed encryption (3des) in the dynamic phase1 policy?
On a side note it is also complaining about DH group which concerns me less, however, 3des has long since been proven insecure and we need to be able to eliminate it.
modify the enc-algorithm and dh-group of the newly added peer as desired
change the /interface l2tp-server server to use-ipsec=no
add ipsec-policy=in,ipsec to the firewall rule permitting incoming packets to UDP/1701 (if you have a common rule for UDP ports 500,1701,4500, split it into two, as packets to UDP ports 500 and 4500 must be accepted).