MikroTik

So I accidentally enabled L2TP server and opened 500,1701 and 4500 ports without first setting up my IPSec Secret and user password (in PPP - Secrets), but I set up my username.
I set “Use IPsec” as “required”.
I see one failed L2TP login attempt in the logs.
Should I worry? Is it possible that someone logged in to my router since there were no IPsec secret and user password in PPP - Secrets?
Is it even possible to connect without entering password and IPsec secret?

L2TP server without IPSec secret exposes plain L2TP server, and if your firewall rules allow it (they shouldn't), it's possible to connect to it. But if you don't see any successful connection (at least I think it's logged too), it's ok.

You don't want to allow port 1701 unconditionally, only for packets encrypted by IPSec:

thank you
they would still have to find out my username to establish a connection, is this correct?

Yes.

Code: Select all

/ip firewall filter
add chain=input protocol=tcp dst-port=1701 ipsec-policy=in,ipsec action=accept

@sob, do we actually need the dst-port=1701 here ?
Its UDP by the way, i guess you just missed that...

Of course, udp, tcp was mistake, typing without thinking too much, muscle memory or something.

And yes, port 1701 must be allowed, because it's what L2TP listens at. But small clarification about ipsec-policy, it's possible to skip that, because if you set use-ipsec=required (not just use-ipsec=yes) for L2TP server, it checks itself if connection uses IPSec. On the other hand, it doesn't hurt to keep it, because then nobody can interact with L2TP server at all without successfully establishing IPSec first.

Or if you meant that it would be possible to drop dst-port and only keep ipsec-policy, then yes and no. Just for L2TP, yes, because created policies are for just this one port anyway. But in case you have some other IPSec tunnels, this rule could allow access to anything on router, which may not be desired.

Or if you meant that it would be possible to drop dst-port and only keep ipsec-policy, then yes and no. Just for L2TP, yes, because created policies are for just this one port anyway. But in case you have some other IPSec tunnels, this rule could allow access to anything on router, which may not be desired.

Right, that's what i meant... What is inside the IPsec,in will be the L2TP packets anyway.