General • Re: Preventing IPSec-less L2TP

Matching on IPsec policy is only working when your router itself is terminating the IPsec.
It can do that, but this is not what you are doing now (the router is forwarding encrypted traffic to your server).
In this case, you simply allow only UDP port 500, UDP port 4500, and IP protocol 50 to be forwarded to your server.
(the latter is probably not necessary as you have NAT in your path anyway)

Don’t allow UDP port 1701 forwarding across your router. It is the unencrypted L2TP traffic.

Statistics: Posted by pe1chl — Mon Apr 15, 2019 8:44 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s