Community discussions

 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 248
Joined: Tue Jul 08, 2014 3:58 pm

L2TP "road warriors" and security issue

Mon Aug 06, 2018 9:31 am

Would a set of rules allowing L2TP from any public ip addrss represent a security issue ?

i.e.
add comment="IPSEC input" in-interface-list=WANs chain=input action=accept protocol=udp dst-port=500 
add comment="IPSEC input" in-interface-list=WANs chain=input action=accept protocol=udp dst-port=4500
add comment="L2TP input" in-interface-list=WANs chain=input action=accept protocol=udp dst-port=1701
anyone is allowed to reach those ports (as road warriors use a lot of continuosly different ip addresses)

Any thougth ?
 
sindy
Forum Guru
Forum Guru
Posts: 3942
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP "road warriors" and security issue

Mon Aug 06, 2018 3:22 pm

One clear point is that the rule permitting access to UDP port 1701 should contain an additional condition, ipsec-policy=in,ipsec, otherwise the port is open also for plain L2TP access not tunnelled via IPsec (I'm not sure how exactly use-ipsec=required modifies the behaviour of the l2tp server itself).

Other than that, the security of the L2TP/IPsec mainly depends on the IPsec part, so it depends on the strength of permitted authentication and encryption algorithms; the strongest algorithms supported by the built-in clients of Windows and Android are weaker than the strongest ones supported by Mikrotik.

You may want to implement some "ban on failed login attempt" logic into the firewall, consisting in banning access for some time for source addresses which do not send a packet to UDP/1701 within a few seconds after sending a packet to UDP/500 and/or UDP/4500, which indicates that they failed to authenticate at IPsec level.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5919
Joined: Mon Jun 08, 2015 12:09 pm

Re: L2TP "road warriors" and security issue

Mon Aug 06, 2018 3:33 pm

The issue with the security of IPsec and allowing access like this is not in the strength of the ciphers, but in any security
issues in the implementation. By allowing UDP port 500/4500 access you provide access to the IPsec engine on the
router, which could turn out to have security issues similar to the webserver and winbox issues that have occurred.
This will always be a risk unless you implement difficult-to-use port knocking sequences etc.

Who is online

Users browsing this forum: amilanov and 124 guests