L2TP/IPsec
When an L2TP server is started, it listens on UDP port 1701 for incoming L2TP connections on the external interface of the VPN server. In the normal mode of operation, a VPN client establishes an IPsec session with the VPN server first, and then the L2TP connection is established within the IPsec tunnel.
Because the L2TP server is listening on port 1701, the server also accepts incoming L2TP connections that are not tunneled in IPsec. This acceptance may be an issue, for example, if a user establishes an L2TP VPN connection without the IPsec tunnel (note that the Windows VPN client does not allow this), in which case all the traffic from the user is in the clear; that is, not encrypted.
- If the VPN server is deployed in a demilitarized zone (DMZ) and has a firewall in front of it, then the firewall can be configured to allow only IPsec traffic to the VPN server (in other words, UDP port 1701 is not allowed). This way, L2TP/IPsec connections can be established, but L2TP-only connections will be blocked.
If the VPN server is directly exposed, the firewall on the VPN server should be configured to disallow L2TP-only connections. For example, the following rule can be defined and applied to local on the external interface to allow L2TP/IPsec connections. (L2TP-only connections can be blocked by the default-drop rule.)
rule 10 {
action accept
destination {
port 1701
}
ipsec {
match-ipsec
}
protocol udp
}