securing L2TP/IPsec server connection

karentom · Fri Jan 20, 2012 1:02 pm

I have l2tp/ipsec server successfully configured on my Mikrotik RB to work with Win client that use IPsec pre shared key configuration.
Googling around I have found very interesting tutorial http://www.jacco2.dds.nl/networking/ope ... allwarning regarding l2tp/ipsec server setup on linux and one important recommendation is additional secure of l2tp.

I have MTik firewall filter configured only to allow UDP port 500, IP protocol 50 (ESP) and UDP port 1701 (L2TP). Everything works, but I am always willing to learn and I would like to make it even more secure, especially in terms of more securing L2TP as it is mentioned in the tutorial.

Can someone more experienced than me provide securing tips/suggestions for MTik server side, that I missed.
I especially wanted to achieve that L2TP tunnel can ONLY work with IPsec - I would like to achieve that only IPsec authenticated clients are able to access the L2TP interface/daemon

In the tutorial the ipsec interface

is mentioned and I do not understand that - I think that only L2TP is an interface and not ipsec? Am I missing something?? Any help is very very appreciated! Thanks in advance!

karentom · Mon Jan 23, 2012 5:10 pm

sorry for self-bump but I can not achieve that only ipsec secured traffic is allowed thru l2tp interface.
Is there any way to achieve that, some suggestions?

Can I, maybe, mark all ipsec traffic on public interface and only allow those marked packets to go thru 1701 udp?? Think that this is not going to work but I do not know? Any help is very welcome!

karentom · Fri Jan 27, 2012 4:18 pm

Is there any any kind of way to allow only ipsec traffic to go into l2tp interface?

I really need this because it seems that someone constantly probing my l2tp interface (udp 1701) and udp 500 as well?
I want to stop that. Many thanks!

Apologies for second bump. This is going to be the last one if I do not get any help.

blue · Fri Jan 27, 2012 7:13 pm

I am also interested in this situation. Recently i started to experiment with l2tp/ipsec and found that any can easily login on mtk only with user/pass for l2tp (brute force for example). Ipsec is only there to additionally encrypt your traffic. I think that we need to connect only if there is l2tp in combination with ipsec, and to refuse if there is no ipsec in l2tp connection. C'mon wise guys, share your experience with us l2tp/ipsec rookies

karentom · Fri Jan 27, 2012 7:37 pm

blue, thanks on your participation!

Same thing as you say is my problem.

I also hope that some profy admin (I can see that there are lots of them here) will give us a hint!

blue · Sat Jan 28, 2012 1:13 pm

Unfortunately, seems like no one is willing to share the knowledge

karentom · Wed Feb 01, 2012 2:31 am

It seems that nobody else is motivated to join the discussion. Hope that somebody except blue and myself will find it interesting enough to participate

Maybe this is better than nothing to prevent brute force attackers on L2TP interface

this is the concept that peđa published in this link: http://pedja.supurovic.net/kako-onemogu ... a-mikrotik (serbian language)
I tried to implement our l2tp problem in it and it works, but this is still not the ultimate good solution, just better than nothing

/ip firewall filter  
add chain=input  connection-state=new protocol=udp dst-port=1701 action=add-src-to-address-list address-list=probe1 address-list-timeout=1m

/ip firewall filter
add chain=input  connection-state=new protocol=udp dst-port=1701 src-address-list=probe1 action=add-src-to-address-list address-list=probe2 address-list-timeout=2m

/ip firewall filter
add chain=input  connection-state=new protocol=udp dst-port=1701 src-address-list=probe2 action=add-src-to-address-list address-list=probe3 address-list-timeout=10m

/ip firewall filter
add chain=input connection-state=new protocol=udp dst-port=1701 src-address-list=probe3 action=drop

after 3 times in 2 minutes it blocks the IP for 10 minutes

andyanthoine · Wed Sep 16, 2015 7:59 am

Hey guys!!!

Same thing here, setup the L2TP IPSEC with the MKT and realised people can connect without using the ipsec at all... making it not secure at all :p

Found anything on how to "force" it ?

Thanks

marrold · Wed Sep 16, 2015 9:11 am

Hey guys!!!

Same thing here, setup the L2TP IPSEC with the MKT and realised people can connect without using the ipsec at all... making it not secure at all :p

Found anything on how to "force" it ?

Thanks

Check out the newish IPSEC policy matcher rules. Make sure you're on a new version of ROS.

http://wiki.mikrotik.com/wiki/Manual:IP ... cy_Matcher

Kamaz · Mon Aug 14, 2017 10:50 pm

Hi everyone, I'm a newbie in ROS but I hope that my message would be helpful for someone.
To protect L2TP I'm using such rules:

/ip firewall filter
add action=drop chain=input comment="L2TP brutforce IP drop" connection-state=new \
    dst-port=1701 protocol=udp src-address-list=l2tp-brutforce
add action=add-src-to-address-list address-list=l2tp-brutforce \
    address-list-timeout=2w chain=input comment="L2TP brutforce IP to list" \
    connection-state=new dst-port=1701 protocol=udp src-address-list=probe3
add action=add-src-to-address-list address-list=probe3 address-list-timeout=2m \
    chain=input comment="L2TP brutforce protection stage 3" connection-state=new \
    dst-port=1701 protocol=udp src-address-list=probe2
add action=add-src-to-address-list address-list=probe2 address-list-timeout=2m \
    chain=input comment="L2TP brutforce protection stage 2" connection-state=new \
    dst-port=1701 protocol=udp src-address-list=probe1
add action=add-src-to-address-list address-list=probe1 address-list-timeout=1m \
    chain=input comment="L2TP brutforce protection stage 1" connection-state=new \
    dst-port=1701 protocol=udp

b3h3m07h · Thu Aug 17, 2017 8:17 am

i use the following rules with port knocking and a ipsec policy matcher (no need to open port 1701 UDP)

/ip firewall filter
add action=add-src-to-address-list address-list=port_knock_tcp_ph1 address-list-timeout=10s chain=input comment="PORT KNOCK" dst-port=51412 in-interface=ISP1 protocol=tcp
add action=add-src-to-address-list address-list=port_knock_tcp_ph2 address-list-timeout=10s chain=input comment="PORT KNOCK" dst-port=13231 in-interface=ISP1 protocol=tcp src-address-list=port_knock_tcp_ph1
add action=add-src-to-address-list address-list=port_knock_secure address-list-timeout=1d chain=input comment="PORT KNOCK" dst-port=32451 in-interface=ISP1 protocol=tcp src-address-list=port_knock_tcp_ph2
add action=accept chain=input comment=ESP in-interface=ISP1 protocol=ipsec-esp src-address-list=port_knock_secure
add action=accept chain=input comment=ESP in-interface=ISP1 protocol=ipsec-ah src-address-list=port_knock_secure
add action=accept chain=input comment="UDP 500" dst-port=500 in-interface=ISP1 protocol=udp src-address-list=port_knock_secure
add action=accept chain=input comment="UDP 4500" dst-port=4500 in-interface=ISP1 protocol=udp src-address-list=port_knock_secure
add action=accept chain=input comment="ipsec policy matcher" in-interface=ISP1 ipsec-policy=in,ipsec

Kamaz · Sat Aug 19, 2017 11:58 am

How are you using such schema on client side? And which type of clients do you have? I mean Windows, Mikrotik or something else.

Kamaz · Sun Aug 20, 2017 9:13 pm

I'm using l2tp + IPSec and there are is a lot of inscriptions on Log like:

aug/20/2017 04:12:00 216.218.206.70 failed to get valid proposal.
aug/20/2017 bla-bla-bla....... 216.218.206.66, wrong password.

How can I get thus IP's from Log to block them via firewwall?
Can I use ordinary regex?

b3h3m07h · Mon Aug 21, 2017 5:33 pm

Clients are windows, Android and iOS.

I use a port knocker app from play store and app store. the knocking then adds the clients to the secure list which is part of the requirements for the connection. Without the knock the port is closed for that device. For windows i just googled a port knocker. Will post the link tomorrow when im in front of my pc

Kamaz · Mon Aug 21, 2017 5:54 pm

Thank you for the quick answer. No need to search links and software, I understood the main idea of your schema. The problem was I didn't know about port-knocking software for Android and IOS)

Kamaz · Mon Oct 09, 2017 9:34 pm

I found an option how to protect my VPN https://github.com/Onoro/Mikrotik
looks like it work.

securing L2TP/IPsec server connection

securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Re: securing L2TP/IPsec server connection

Who is online