How does Mikrotik for l2tp connections require mandatory ipsec?

S

shaytan2015-09-16 19:05:58

Mikrotik

shaytan, 2015-09-16 19:05:58

I configured a l2tp server and ipsec for it on Mikrotik. I found the following - if on the client (I now have win10) select the "no encryption" option, then the connection is successfully established on bare l2tp, without checking the shared secret and without encryption. How to force Mikrotik to require ipsec encryption from clients and refuse to connect without ipsec?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

C

Cool Admin, 2015-09-16
@ifaustrue

I have Windows 10 and I don't know how you created L2TP without IPSec =) Without encryption is one thing, but without IPSec it's a little different (there is either a certificate or a network key).
(I mean, I know about the method through the GPO or the registry, but not normally))
In my case, everything starts only if IPSec is enabled in the l2tp-server, a key for IPSec is set, a secret is created (a user with Local and Remote IP) and in proporsal sha1+aes-256 (these are all changes from the default settings).

S

shaytan, 2015-09-17
@shaytan

Evgeny Bychenko : version 6.32.1 but on 6.30.4 the behavior was the same. If you put the use ipsec bird in the server and use the generated peers, the behavior remains the same.

L

Literis, 2018-05-21
@Literis

I myself have been fiddling with this problem for a long time, I found a solution in the firewall: add a rule allowing ipsec forward on the vpn interface and prohibiting unencrypted traffic. Does not solve the problem of unauthorized connection, however, if it occurs, unencrypted traffic will drop

add action=accept chain=forward in-interface=[vpn интерфейс] ipsec-policy=in,ipsec
add action=drop chain=forward in-interface=[vpn интерфейс] ipsec-policy=in,none