I’ve set a L2TP/IPSec server on my Hex. The main purpose of which is to securely access my video surveillance from outside. I’ve set everything and the L2TP is set with IPSec required, however I’m a bit worried about the opened ports:
Also here https://wiki.mikrotik.com/wiki/Securing_L2TP_Server_for_IPSec it is stated that the L2TP server cannot be restricted to IPSec clients only, does that mean that anyone can try brute forcing the user name/password and connect to the server or does the Use IPSec tick prevent exactly this?
As I need to be able to connect from different ip addresses to the server one of the things I thought could improve the security is to use a port knocking to add the address to a white list to which the ports would be opened.
Could you please guys advice how I can in fact make a secure enough setting to be able to access the video surveillance from outside through L2TP?
Currently I have the following setup on the L2TP/IPSec:
I'm creating a new profile
/ppp profile
add local-address=x.x.x.1 name=ipsec-vpn remote-address=vpn-pool \
use-encryption=required use-upnp=no
New pool with addresses for the vpn:
/ip pool
add name=vpn-pool ranges=x.x.x.2-x.x.x.10
Creating an user:
add name=user password= 0000 profile=ipsec-vpn
Setting up the server:
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec-vpn enabled=yes \
ipsec-secret=mysecret use-ipsec=required
Firewall rules:
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec-vpn enabled=yes \
ipsec-secret=1111 use-ipsec=required
I haven’t touched anything in /ip ipsec, so its default. Probably I need to change the hash and encrypting algorithms in Proposals/Profiles
@Zacharias: The ipsec-policy=in,ipsec will match what came encrypted, i.e. L2TP packets (udp 1701) inside IPSec tunnel. The rest is for IPSec itself and needs to be open for everyone (if you want VPN available from any address).
So @sob to sum up, i would still need to open the IKE ports (udp 500,4500) and then i would just accept only the encrypted L2TP packets through in,ipsec…
correct ?
Yes. And protocol=ipsec-esp packets need to be accepted too, that’s what clients who are not behind NAT (if server also isn’t behind NAT) will use. Those who do have NAT will wrap them in udp and use port 4500.
Ok tested and works just fine… sob maybe you know why the default firewall has the in/out,ipsec in the forward chain ? What is the need of those2 rules ? I dont really understand…
I guess the idea is that when you set up IPSec tunnel, you want to allow tunneled traffic, and that’s what default firewall does. It it was my choice, I’d let users add required rules manually, which would force them to think about it (what exactly they want to allow, because it’s not necessarily everything, and they’d be aware that they did something). But if it’s there by default, it does nothing until you actually add some IPSec tunnel, and it probably limits support requests, because many people would forget to manually allow tunnelled traffic.
I have problem connecting my phone to my L2TP IPsec server on my mikrotik. The phone can connect to the server but I cannot get the internet working and cannot access my private LAN. Pls help. Here is my thread: