This tutorial assumes that the WAN interface of the Mikrotik router has a public IP address, and that your ISP does not block ipsec ports. With that out of the way, lets get started.
The first step is to create a PPP Profile on the mikrotik. We will use a 192.168.102.1 for the local address (the VPN Gateway), assuming this is not already in use. We also need to add a DNS Server
/ppp profile add name=ipsec_vpn local-address=192.168.102.1 dns-server=220.127.116.11
Next we add an l2tp-server server interface and set the allowed authentication methods, mschap1 and mschap2.
/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2
Next, we need to define the peering of IPSec and also the default IPsec policy. We will also set the pre-shared-key secret in the process.
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
For Router OS 6.39 and lower use
/ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="STRONG_SECRET_HERE" exchange-mode=main-l2tp send-initial-contact=no generate-policy=port-override
For Router OS 6.44 and higher use :
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret="<strong>STRONG_SECRET_HERE</strong>" peer=l2tpserver
Next we set the default encryption algorthims
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024
Now we add a user and allocate an IP Address
/ppp secret add name="USERNAME" password="STRONG PASSWORD" service=l2tp profile=ipsec_vpn remote-address=192.168.102.2
Finally we need to open the IPSec ports from the WAN
/ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
/ip firewall filter add chain=input action=accept protocol=ipsec-esp
Note that these two rules need to be added to the top of the list, before any other rules in order to allow connections from the WAN interface. Either use the “move” command via the CLI to move them to the top of the list or use the GUI. The final result should look something like this :
Fasttrack configuration with L2TP Server / Client
I have moved this section to its own post, since this part is relevant to other scenarios too. You may read the full post here
21 comments On Mikrotik L2TP / IPsec VPN Server Step by Step configuration with Fasttrack enabled!
I have recently set up this configuration and had a lot of trouble with the details. Your simple explanation looks very good. I do have one question. What do you mean by the phrase I have made bold in “We will use a 192.168.102.1 for the local address (the VPN Gateway), ASSUMING THIS IS NOT ALREADY IN USE.” The address I used for the “local address” was the LAN-side address of the router (which is also the default gateway address for internal devices on the network). So, it is definitely “IN USE”. Am I missing something?
Again, thank you for your instructions here!
You need to use a different address, one which is not in use, for your ppp profile. I have used 192.168.102.1. If this happens to be your default gateway already then use something like 192.168.103.1 or another IP Address (for your ppp profile). Hope that clears it up.
Works like a charme ! Thanks for posting.
I tried a bit more secure credentials cause sha1 and 3DES are not so secure anymore.
Surprisingly the most common SHA256 and AES256CBC with PFS group 14 (2048) did not work.
If you use it in native IPsec this works.
Do you know why this did not work with L2TP in Windows 10 and only the old fashined SHA1, 3DES and PFS 1024 ?
Although I cannot be sure, I believe this has to do with the windows L2TP Client. I vaguely recall having the same issue using Windows XP with a Cisco router back in the day, I will try to find some time and test it out in a windows vm and report back my findings. 🙂
Find it strange that this “as is” works for some…
Tried this and does not work fully for me. Still in progress of troubleshooting.
Found couple websites including wiki.mikrotik.com stating that ppp profile local address should be the same as routers address on local interface and not some random IP “..not already in use”.
Should update the encryption algorithms as well as sha1 been proven not to be that secure…..
Seeing you do not mention it anywhere this setup should work with PPPoE/Static and DHCP internet connections ?
Johann – this is really good stuff. I’m on macos and had no issues substituting the three AES256 algorithms. So pfoerster’s issue may indeed be related tot he windows L2TP client.
Now here’s the part I haven’t been able to figure out…I can access other systems on the LAN adding IP address but some services break (eg Bonjour) unless I am on the original subnet. For example my LAN is 192.168.88.x and I set up the VPN on the 192.168.102.x subnet as you suggested. There must be a way to configure NAT to make the VPN machine appear to be on the original subnet. I also tried using various unused 192.168.88.x addresses but that didn’t work either. Any hints?
It works but i cant browse my internal LAN
Mine also works great thanks!
How do I allow VPN users to add the local network served by the Mikrotik router?
(PS, I come from a Zyxel and Nokia background, not confident enough to mess around with settings just yet)
Actually ignore my question. I already had the correct firewall rules in place. Problem was on my Mac where the VPN service order was lower down than my WiFi. Just moved it above and now works like a charm. Thanks so much for awesome guide!
clear and simple, works like a charm. many thanks!
one question: would it possible to connect to it with more devices simultaneously? because even if I create more users (secrets), it doesn’t seem to work… what am I doing wrong?
THANK YOU THANK YOU THANK YOU
I have been struggling with this for ages and you made it so simple.
One question, how can I uses pools for IP address assignment at random?
Yes, you can:
/ip pool add name=vpn-pool range=192.168.99.2-192.168.99.100
set default local-address=192.168.99.1 remote-address=vpn-pool
add name=user1 password=123
add name=user2 password=234
How do I use a pool of addresses to hand out with this?
Is that true that only one L2TP/IpSec connection can be established through the NAT with configuartion like this?
Thank you for your help with this tutorial!
I don’t want to send wan traffic (!local) over vpn.! Is that possible?
Great tutorial. I do this and all work. Just change static IP to vpn dhcp pool. Everything work fine except windows share. Cannot access to my windows 10 desktop wher have shared folders. Try disable symantrec antivirus and winsdows security, but still cannot access to shared folders and cant see desktop. I can access to mikrotik winbox, raspberry pi dns server ssh, only share dont work.
your guide says router OS 6.39 and BELOW and 6.44 and ABOVE. I am on 6.43 🙂
I get “expected end of command (line 1 column 51)” when typing /ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
Can VPN client use tunnel only for resources on the router’s network? Like for example I want to connect to home local network, but for other traffic not use the tunnel.
Mine is not working.
Just shows in the Log and hold for 10 minutes and then stop
ISAKMP-SA deleted 192.168.0.200-18.104.22.168 spi:11c83e7f00ac764a:1cd0351217ccf0d2 rekey:1
Works perfect! Thanks!
It is possible to use the VPN only for ip addresses in the VPNs LAN ?
The VPN itself has 192.168.99.0 the target LAN has 10.12.12.0.
I only want that the client use the VPN for that two ip range. But for example google they use there own wan port
I will advice to add L2TP STATIC BINDING with vpn username to LAN to have alwyas access to all resources in local network.