Community discussions

 
abis
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Fri Apr 11, 2014 9:32 pm
Location: Romania

IPSec/L2TP

Tue Oct 08, 2019 3:47 pm

Hello, I found that post https://serverfault.com/questions/45138 ... ipsec-lt2p and I want to increase my ports input security. At this moment i have that rules for IPSec/L2TP
chain=input action=accept protocol=udp in-interface=ether1 dst-port=500,1701,4500 log=no log-prefix="" 
chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 
chain=input action=accept protocol=ipsec-ah log=no log-prefix=""
But in post In post I read "Port 1701 is used by the L2TP Server, but connections should not be allowed inbound to it from outside. There is a special firewall rule to allow only IPSEC secured traffic inbound on this port."
The question is: How I can translate this rule in MikroTik?
iptables -A INPUT -i $EXT_NIC -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT


Thank you guys!
Image Image
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1053
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: IPSec/L2TP

Tue Oct 08, 2019 8:22 pm

You'll probably need a bit of trial and error with this one but I think this is a fairly close translation into RouterOS from iptables

/ip firewall filter
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp src-port=500
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
Sob
Forum Guru
Forum Guru
Posts: 4669
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPSec/L2TP

Tue Oct 08, 2019 9:13 pm

What you're looking for is ipsec-policy matcher:
/ip firewall filter
add chain=input action=accept protocol=udp dst-port=1701 ipsec-policy=in,ipsec
And remove 1701 from the other rule, because that would allow also unencrypted L2TP.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
abis
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Fri Apr 11, 2014 9:32 pm
Location: Romania

Re: IPSec/L2TP

Wed Oct 09, 2019 11:01 am

Thank you for reply! I'll start to test yours suggestions.

Great day!
Image Image

Who is online

Users browsing this forum: No registered users and 2 guests