Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

L2TP/IPSEC server configuration questions

Locked
 
ega2002
just joined
Topic Author
Posts: 15
Joined: Fri Sep 23, 2016 4:58 pm

L2TP/IPSEC server configuration questions

Tue May 29, 2018 4:00 pm

Hi there,

Recently I started to configure my Mikrotik hAP ac as a L2TP/IPSEC server to be able to access my local samba file-server from outside. I've found a lot of standard tutorials out there, and basically everything is working OK, but a couple of questions still need to be clarified for me.

1. The tutorials recommend to add the following two rules to my firewall input chain:
Code: Select all
/ip firewall filter
add chain=input action=accept protocol=udp port=1701,500,4500
add chain=input action=accept protocol=ipsec-esp
While the first rule is absolutely clear, the second raises the questions: what is it for, and why is not triggered at all (counters show zeroes), while the IPSEC tunnel is established and working? Can it be removed, or it is necessary for some specific cases?

2. Some tutorials say, that there may be troubles with IPSEC and FastTrack, and recommend to arrange IPSEC packets marking in order to exclude IPSEC from FastTrack. I have FastTrack enabled in my Mikrotik, and see no problems with L2TP/IPSEC at all, the clients are able to connect and exchange data with the server. Should I nevertheless take care about this, or let it as it is?

Thanks in advance for your help
Top
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: L2TP/IPSEC server configuration questions

Tue Jun 05, 2018 10:59 am

1. Port 4500 is used to detect NAT traversal. If the client has a public IP and not behind a NAT device, then IPSec will happen over the ipsec-esp protocol. This may be a rare occurrence and maybe you'll never see the counts increase.

2. I also never have problems with leaving FastTrack alone. Maybe someone else can comment?
Top
 
AndreasGR
newbie
Posts: 45
Joined: Mon May 14, 2018 5:27 pm

Re: L2TP/IPSEC server configuration questions

Tue Jun 05, 2018 4:01 pm

I am using IPSEC/IKEv2 and I do not have any ipsec-esp filter.
Am I missing something?
Top
 
ega2002
just joined
Topic Author
Posts: 15
Joined: Fri Sep 23, 2016 4:58 pm

Re: L2TP/IPSEC server configuration questions

Tue Jun 05, 2018 10:36 pm

Port 4500 is used to detect NAT traversal. If the client has a public IP and not behind a NAT device, then IPSec will happen over the ipsec-esp protocol. This may be a rare occurrence and maybe you'll never see the counts increase.
Right, all my clients are behind the NAT, and also I have "NAT Traversal" checked in IPsec Peer Advanced configuration. So, I guess ipsec-esp rule could be omitted in this case.
Top
 
Sayrax
just joined
Posts: 24
Joined: Mon Jun 26, 2017 4:44 pm
Location: Kharkiv
Contact:
Contact Sayrax

Re: L2TP/IPSEC server configuration questions

Wed Jun 06, 2018 10:06 pm

Connection is up? Or look on forward chain. from L2tp network to lan network
Top
 
User avatar
ingdaka
Trainer
Trainer
Posts: 457
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:
Contact ingdaka

Re: L2TP/IPSEC server configuration questions

Thu Jun 07, 2018 2:06 pm

It show 0 counter because Port 500 and IPSec-ESP is the same thing, so you get counter to first role because it has more priority!
Top
 
ega2002
just joined
Topic Author
Posts: 15
Joined: Fri Sep 23, 2016 4:58 pm

Re: L2TP/IPSEC server configuration questions

Thu Jun 07, 2018 6:13 pm

It show 0 counter because Port 500 and IPSec-ESP is the same thing, so you get counter to first role because it has more priority!
No, ipsec-esp is IP protocol number 50, while UDP port 500 is IP protocol number 17.
Top
Locked
  4. RouterOS
  5. Beginner Basics