Page 1 of 1

IPSec/L2TP

Posted: Tue Oct 08, 2019 3:47 pm
by abis
Hello, I found that post https://serverfault.com/questions/45138 ... ipsec-lt2p and I want to increase my ports input security. At this moment i have that rules for IPSec/L2TP
chain=input action=accept protocol=udp in-interface=ether1 dst-port=500,1701,4500 log=no log-prefix="" 
chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 
chain=input action=accept protocol=ipsec-ah log=no log-prefix=""
But in post In post I read "Port 1701 is used by the L2TP Server, but connections should not be allowed inbound to it from outside. There is a special firewall rule to allow only IPSEC secured traffic inbound on this port."
The question is: How I can translate this rule in MikroTik?
iptables -A INPUT -i $EXT_NIC -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT


Thank you guys!

Re: IPSec/L2TP

Posted: Tue Oct 08, 2019 8:22 pm
by IPANetEngineer
You'll probably need a bit of trial and error with this one but I think this is a fairly close translation into RouterOS from iptables

/ip firewall filter
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp src-port=500

Re: IPSec/L2TP

Posted: Tue Oct 08, 2019 9:13 pm
by Sob
What you're looking for is ipsec-policy matcher:
/ip firewall filter
add chain=input action=accept protocol=udp dst-port=1701 ipsec-policy=in,ipsec
And remove 1701 from the other rule, because that would allow also unencrypted L2TP.

Re: IPSec/L2TP

Posted: Wed Oct 09, 2019 11:01 am
by abis
Thank you for reply! I'll start to test yours suggestions.

Great day!