Matching on IPsec policy is only working when your router itself is terminating the IPsec.
It can do that, but this is not what you are doing now (the router is forwarding encrypted traffic to your server).
In this case, you simply allow only UDP port 500, UDP port 4500, and IP protocol 50 to be forwarded to your server.
(the latter is probably not necessary as you have NAT in your path anyway)
Don’t allow UDP port 1701 forwarding across your router. It is the unencrypted L2TP traffic.
Statistics: Posted by pe1chl — Mon Apr 15, 2019 8:44 pm