Skip to content Skip to footer

Mikrotik L2TP / IPsec VPN Server Step by Step configuration with Fasttrack enabled!

This tutorial assumes that the WAN interface of the Mikrotik router has a public IP address, and that your ISP does not block ipsec ports. With that out of the way, lets get started.

The first step is to create a PPP Profile on the mikrotik. We will use a 192.168.102.1 for the local address (the VPN Gateway), assuming this is not already in use. We also need to add a DNS Server

/ppp profile add name=ipsec_vpn local-address=192.168.102.1 dns-server=1.1.1.1

Next we add an l2tp-server server interface and set the allowed authentication methods, mschap1 and mschap2.

/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2

Next, we need to define the peering of IPSec and also the default IPsec policy. We will also set the pre-shared-key secret in the process.

/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 

For Router OS 6.39 and lower use

/ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="STRONG_SECRET_HERE" exchange-mode=main-l2tp send-initial-contact=no  generate-policy=port-override

For Router OS 6.44 and higher use :

/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver


/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret="<strong>STRONG_SECRET_HERE</strong>" peer=l2tpserver

Next we set the default encryption algorthims

/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024

Now we add a user and allocate an IP Address

/ppp secret add name="USERNAME" password="STRONG PASSWORD" service=l2tp profile=ipsec_vpn remote-address=192.168.102.2

Finally we need to open the IPSec ports from the WAN

/ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
/ip firewall filter add chain=input action=accept protocol=ipsec-esp

Note that these two rules need to be added to the top of the list, before any other rules in order to allow connections from the WAN interface. Either use the “move” command via the CLI to move them to the top of the list or use the GUI. The final result should look something like this :

Fasttrack configuration with L2TP Server / Client

I have moved this section to its own post, since this part is relevant to other scenarios too. You may read the full post here

21 Comments

  • Kenny
    Posted 6th September 2019 at 02:10

    I have recently set up this configuration and had a lot of trouble with the details. Your simple explanation looks very good. I do have one question. What do you mean by the phrase I have made bold in “We will use a 192.168.102.1 for the local address (the VPN Gateway), ASSUMING THIS IS NOT ALREADY IN USE.” The address I used for the “local address” was the LAN-side address of the router (which is also the default gateway address for internal devices on the network). So, it is definitely “IN USE”. Am I missing something?
    Again, thank you for your instructions here!

    • Johann Fenech
      Posted 21st September 2019 at 19:10

      Hi Kenny,

      You need to use a different address, one which is not in use, for your ppp profile. I have used 192.168.102.1. If this happens to be your default gateway already then use something like 192.168.103.1 or another IP Address (for your ppp profile). Hope that clears it up.

      J

  • pfoerster
    Posted 3rd October 2019 at 15:45

    Works like a charme ! Thanks for posting.
    One comment.
    I tried a bit more secure credentials cause sha1 and 3DES are not so secure anymore.
    Surprisingly the most common SHA256 and AES256CBC with PFS group 14 (2048) did not work.
    If you use it in native IPsec this works.
    Do you know why this did not work with L2TP in Windows 10 and only the old fashined SHA1, 3DES and PFS 1024 ?

    • Post Author
      Johann
      Posted 8th October 2019 at 21:12

      Although I cannot be sure, I believe this has to do with the windows L2TP Client. I vaguely recall having the same issue using Windows XP with a Cisco router back in the day, I will try to find some time and test it out in a windows vm and report back my findings. 🙂

  • Hav0c
    Posted 21st October 2019 at 10:28

    Find it strange that this “as is” works for some…
    Tried this and does not work fully for me. Still in progress of troubleshooting.

    Found couple websites including wiki.mikrotik.com stating that ppp profile local address should be the same as routers address on local interface and not some random IP “..not already in use”.

    Should update the encryption algorithms as well as sha1 been proven not to be that secure…..

    Seeing you do not mention it anywhere this setup should work with PPPoE/Static and DHCP internet connections ?

  • philpowers
    Posted 3rd November 2019 at 19:58

    Johann – this is really good stuff. I’m on macos and had no issues substituting the three AES256 algorithms. So pfoerster’s issue may indeed be related tot he windows L2TP client.
    Now here’s the part I haven’t been able to figure out…I can access other systems on the LAN adding IP address but some services break (eg Bonjour) unless I am on the original subnet. For example my LAN is 192.168.88.x and I set up the VPN on the 192.168.102.x subnet as you suggested. There must be a way to configure NAT to make the VPN machine appear to be on the original subnet. I also tried using various unused 192.168.88.x addresses but that didn’t work either. Any hints?

  • Wayne Blades
    Posted 13th November 2019 at 23:15

    It works but i cant browse my internal LAN

  • Stephan
    Posted 10th December 2019 at 08:12

    Mine also works great thanks!
    How do I allow VPN users to add the local network served by the Mikrotik router?
    (PS, I come from a Zyxel and Nokia background, not confident enough to mess around with settings just yet)

    • Stephan
      Posted 10th December 2019 at 08:24

      Actually ignore my question. I already had the correct firewall rules in place. Problem was on my Mac where the VPN service order was lower down than my WiFi. Just moved it above and now works like a charm. Thanks so much for awesome guide!

  • Leonardo
    Posted 18th December 2019 at 21:31

    clear and simple, works like a charm. many thanks!
    one question: would it possible to connect to it with more devices simultaneously? because even if I create more users (secrets), it doesn’t seem to work… what am I doing wrong?

  • Karl
    Posted 1st January 2020 at 19:40

    THANK YOU THANK YOU THANK YOU

    I have been struggling with this for ages and you made it so simple.

    One question, how can I uses pools for IP address assignment at random?

    • Damyan
      Posted 25th January 2020 at 20:29

      Yes, you can:

      example

      /ip pool add name=vpn-pool range=192.168.99.2-192.168.99.100

      /ppp profile
      set default local-address=192.168.99.1 remote-address=vpn-pool

      /ppp secret
      add name=user1 password=123
      add name=user2 password=234

  • Jerry Roy
    Posted 3rd February 2020 at 22:50

    How do I use a pool of addresses to hand out with this?

  • John
    Posted 28th February 2020 at 12:13

    Is that true that only one L2TP/IpSec connection can be established through the NAT with configuartion like this?

  • Dim
    Posted 12th March 2020 at 21:17

    Hello!!
    Thank you for your help with this tutorial!
    I don’t want to send wan traffic (!local) over vpn.! Is that possible?

    Thank you!

  • Robi
    Posted 4th April 2020 at 17:13

    Hi!

    Great tutorial. I do this and all work. Just change static IP to vpn dhcp pool. Everything work fine except windows share. Cannot access to my windows 10 desktop wher have shared folders. Try disable symantrec antivirus and winsdows security, but still cannot access to shared folders and cant see desktop. I can access to mikrotik winbox, raspberry pi dns server ssh, only share dont work.

  • Shahin
    Posted 9th April 2020 at 08:11

    Hi Johann,

    your guide says router OS 6.39 and BELOW and 6.44 and ABOVE. I am on 6.43 🙂

    I get “expected end of command (line 1 column 51)” when typing /ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver

    please advise

  • Andy
    Posted 19th April 2020 at 14:14

    Can VPN client use tunnel only for resources on the router’s network? Like for example I want to connect to home local network, but for other traffic not use the tunnel.

  • Saeed
    Posted 1st May 2020 at 17:07

    Mine is not working.
    Just shows in the Log and hold for 10 minutes and then stop
    ISAKMP-SA deleted 192.168.0.200[4500]-172.83.89.199[4500] spi:11c83e7f00ac764a:1cd0351217ccf0d2 rekey:1

  • stikkx
    Posted 4th May 2020 at 08:41

    Works perfect! Thanks!

    It is possible to use the VPN only for ip addresses in the VPNs LAN ?

    The VPN itself has 192.168.99.0 the target LAN has 10.12.12.0.
    I only want that the client use the VPN for that two ip range. But for example google they use there own wan port

  • Kirilgeo
    Posted 3rd June 2020 at 20:40

    Hello
    I will advice to add L2TP STATIC BINDING with vpn username to LAN to have alwyas access to all resources in local network.

    Best,
    Kiril

Leave a comment

0.0/5

RANTS.TECH

Links
Get in Touch

 © 2022. All Rights Reserved.