Difference between revisions of "Securing L2TP Server for IPSec"

From MikroTik Wiki
Jump to: navigation, search
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Versions|v5}}
+
{{Versions|v5, v6}}
 
==Basic Info==
 
==Basic Info==
 
The one problem with L2TP/IPSec on Mikrotik is that there is no way to secure the L2TP server to IPSec clients ONLY, if you have people that connect from different public IPs constantly.
 
The one problem with L2TP/IPSec on Mikrotik is that there is no way to secure the L2TP server to IPSec clients ONLY, if you have people that connect from different public IPs constantly.
  
In firewall, you have to allow access to the L2TP server, but there is no IPSec policy matcher. Here is my script for securing the L2TP server to IPSec clients only.  
+
In firewall, you have to allow access to the L2TP server, but there is no IPSec policy matcher. Here is my script for securing the L2TP server to IPSec clients only.
 +
 
 +
==What to configure==
 +
Make sure you secure the L2TP server firewall rule with src-address-list=L2TP_Allowed.
 +
<pre>
 +
add chain=input dst-port=1701 protocol=udp src-address-list=L2TP_Allowed
 +
</pre>
 +
 
 +
Schedule the script to run every 2 or 3 seconds, and the L2TP server is secured.
 +
 
 +
If allowing established and related connections in firewall, the L2TP server will be availible for as long as the connection is in the conn track table, watch out for that. (Default UDP stream timeout is 3 minutes.)
  
 
==The script==
 
==The script==
 
<pre>
 
<pre>
 
# ------------------- header -------------------
 
# ------------------- header -------------------
# Script by Tomas Kirnak, version 1.0.1
+
# Script by Tomas Kirnak, version 1.0.2
 
# If you use this script, or edit and
 
# If you use this script, or edit and
 
# re-use it, please keep the header intact.
 
# re-use it, please keep the header intact.
Line 16: Line 26:
 
# http://wiki.mikrotik.com/wiki/Securing_L2TP_Server_for_IPSec
 
# http://wiki.mikrotik.com/wiki/Securing_L2TP_Server_for_IPSec
 
# ------------------- header -------------------
 
# ------------------- header -------------------
 +
{
 
:local InAL 0
 
:local InAL 0
 
:local InRP 0
 
:local InRP 0
 +
:local rawIp 0
 
:local CurrentPeerIP 0
 
:local CurrentPeerIP 0
  
 
:foreach i1 in [/ip ipsec remote-peers find] do={
 
:foreach i1 in [/ip ipsec remote-peers find] do={
   :set CurrentPeerIP [/ip ipsec remote-peers get $i1 remote-address]
+
   :set rawIp [/ip ipsec remote-peers get $i1 remote-address]
 +
 
 +
  :if ([:len [:find $rawIp ":"]] = 0) do={
 +
    :set CurrentPeerIP $rawIp
 +
  } else={
 +
    :set CurrentPeerIP [:pick $rawIp 0 [:find $rawIp ":"]]
 +
  }
  
 
   :foreach i2 in [/ip firewall address-list find list=L2TP_Allowed address=$CurrentPeerIP] do={
 
   :foreach i2 in [/ip firewall address-list find list=L2TP_Allowed address=$CurrentPeerIP] do={
Line 33: Line 51:
 
   :set CurrentPeerIP [/ip firewall address-list get $i1 address]
 
   :set CurrentPeerIP [/ip firewall address-list get $i1 address]
  
   :foreach i2 in [/ip ipsec remote-peers find remote-address=$CurrentPeerIP] do={
+
   :foreach i2 in [/ip ipsec remote-peers find] do={
    :set InRP 1
+
    :set rawIp [/ip ipsec remote-peers get $i2 remote-address]
 +
 +
    :if ([:len [:find $rawIp ":"]] = 0) do={
 +
      :set CurrentPeerIP $rawIp
 +
    } else={
 +
      :set CurrentPeerIP [:pick $rawIp 0 [:find $rawIp ":"]]
 +
    }
 +
 
 +
    :if ($CurrentPeerIP = [/ip firewall address-list get $i1 address]) do={
 +
      :set InRP 1
 +
}
 
   }
 
   }
 
   :if ($InRP = 0) do={/ip firewall address-list remove $i1}
 
   :if ($InRP = 0) do={/ip firewall address-list remove $i1}
 
   :set InRP 0
 
   :set InRP 0
 
}
 
}
 +
}
 +
 
</pre>
 
</pre>
==What to configure==
 
Make sure you secure the L2TP server firewall rule with src-address-list=L2TP_Allowed.
 
 
Schedule the script to run every 2 or 3 seconds, and the L2TP server is secured.
 
 
If allowing established and related connections in firewall, the L2TP server will be availible for as long as the connection is in the conn track table, watch out for that. (Default UDP stream timeout is 3 minutes.)
 

Latest revision as of 12:26, 1 April 2015

Version.png

Applies to RouterOS: v5, v6

Basic Info

The one problem with L2TP/IPSec on Mikrotik is that there is no way to secure the L2TP server to IPSec clients ONLY, if you have people that connect from different public IPs constantly.

In firewall, you have to allow access to the L2TP server, but there is no IPSec policy matcher. Here is my script for securing the L2TP server to IPSec clients only.

What to configure

Make sure you secure the L2TP server firewall rule with src-address-list=L2TP_Allowed.

add chain=input dst-port=1701 protocol=udp src-address-list=L2TP_Allowed

Schedule the script to run every 2 or 3 seconds, and the L2TP server is secured.

If allowing established and related connections in firewall, the L2TP server will be availible for as long as the connection is in the conn track table, watch out for that. (Default UDP stream timeout is 3 minutes.)

The script

# ------------------- header -------------------
# Script by Tomas Kirnak, version 1.0.2
# If you use this script, or edit and
# re-use it, please keep the header intact.
#
# For more information and details about
# this script please visit the wiki page at
# http://wiki.mikrotik.com/wiki/Securing_L2TP_Server_for_IPSec
# ------------------- header -------------------
{
:local InAL 0
:local InRP 0
:local rawIp 0
:local CurrentPeerIP 0

:foreach i1 in [/ip ipsec remote-peers find] do={
  :set rawIp [/ip ipsec remote-peers get $i1 remote-address]
  
  :if ([:len [:find $rawIp ":"]] = 0) do={
    :set CurrentPeerIP $rawIp
  } else={
    :set CurrentPeerIP [:pick $rawIp 0 [:find $rawIp ":"]]
  }

  :foreach i2 in [/ip firewall address-list find list=L2TP_Allowed address=$CurrentPeerIP] do={
    :set InAL 1
  }
  if ($InAL = 0) do={/ip firewall address-list add list=L2TP_Allowed address=$CurrentPeerIP}
  :set InAL 0
}

:foreach i1 in [/ip firewall address-list find list=L2TP_Allowed] do={
  :set CurrentPeerIP [/ip firewall address-list get $i1 address]

  :foreach i2 in [/ip ipsec remote-peers find] do={
    :set rawIp [/ip ipsec remote-peers get $i2 remote-address]
	
    :if ([:len [:find $rawIp ":"]] = 0) do={
      :set CurrentPeerIP $rawIp
    } else={
      :set CurrentPeerIP [:pick $rawIp 0 [:find $rawIp ":"]]
    }
  
    :if ($CurrentPeerIP = [/ip firewall address-list get $i1 address]) do={
      :set InRP 1
	}
  }
  :if ($InRP = 0) do={/ip firewall address-list remove $i1}
  :set InRP 0
}
}