MikroTik L2TP over IPsec VPN Server Tutorial Guide for RouterOS v6.44+

Andy

Administrator
Creative Team
User ID
1
Joined
7 Jan 2019
Messages
1,111
Reaction score
56
Points
48
This is an updated tutorial from my previous RouterOS v6.43 L2TP/IPsec tutorial.
In RouterOS v6.44 there were major changes where they removed "main-l2tp" exchange-mode from the /ip ipsec peer.

But this means configuring L2TP/IPsec is even more simpler, just follow through my guide down below:
  1. Create the L2TP Server
    The commands below will:
    • Enable the L2TP Server;
    • Enable IPsec over L2TP;
    • Set your desired IPsec PSK.
  2. Rich (BB code):
    /interface l2tp-server server
    set enabled=yes
    set use-ipsec=required
    set ipsec-secret=<yourIPsecPSKhere>
  3. MikroTik will create IPsec Policies
    Screen Shot 2019-07-26 at 2.34.03 PM.png
    On the IPsec Peers tab, we can see the Dynamic IPsec Peer (Phase 1) has been active;
    As well as on the IPsec Policies tab, we can see the Dynamic IPsec Policy (Phase 2) has been active.
  4. Create a VPN Address Pool for the Client Devices
    The commands below will:
    • Add the start & end addresses to hand out for the L2TP sessions;
    • Note: These IP addresses can be any address range and I would recommend that they do not match existing IP address in the MikroTik.
  5. Rich (BB code):
    /ip pool
    add name=pool1-L2TP_users ranges=10.0.7.2-10.0.7.14
  6. Create a VPN User Profile to apply to L2TP clients
    Notes:
    • Local Address acts as Default Gateway for the L2TP Client.
      • Routers LAN IP Address
      • Pool Address Static Entry
      • Dynamic Selection from the Pool itself
  7. Rich (BB code):
    /ppp profile
    add name=profile1-L2TP_users local-address=10.0.7.1 remote-address=pool1-L2TP_users
    Still on this PPP Profile window:
    • If you go to the Protocols tab, you can adjust any protocols to suit.
    • On the Limits tab, you can set session timers & rate limits for clients, set timeout - maximum connection time, idle timeout - link termination after no activity, rate limit connection speeds, only one - can user have more than 1 connection or not.
    • Scripts on up and down, and many more.
  8. User Login Credentials
    Screen Shot 2019-07-26 at 3.06.37 PM.png
    Notes:
    • Name & Password are the login details.
    • Select L2TP as the Service
    • Profile to use for this users login.
  9. Rich (BB code):
    /ppp secret
    add name=Andy password=<yourVPNpassword> service=l2tp profile=profile1-L2TP_users
  10. Optionally: Check Firewall Rules
    Rich (BB code):
    /ip firewall filter
    add chain=input protocol=udp dst-port=500,1701,4500 in-interface=ether1-GTW
  11. Our L2TP over IPsec Policy is now complete
I hope this tutorial works for you, I tested this on my live router on the datacenter (running RouterOS v6.44.6) and it worked very well for me 👍

If you have any questions or comments, feel free to post down below 🍻
 
Hey Andy, I'm looking for a tutorial on l2tp ipsec with all dynamic ip's. Im new in networking and am strugling with it. Hope you could guide me a little, is this tuto for me or can you at least point me to right direction. thanks
 
Hey Andy, I'm looking for a tutorial on l2tp ipsec with all dynamic ip's. Im new in networking and am strugling with it. Hope you could guide me a little, is this tuto for me or can you at least point me to right direction. thanks
Hi Dusan,

Sure, I'd happy to help 👍
Just tell me about your topology and elaborate more about what are you trying to achieve here 🤷‍♂️

Talk soon,
Andy
 
Hi Dusan,

Sure, I'd happy to help 👍
Just tell me about your topology and elaborate more about what are you trying to achieve here 🤷‍♂️

Talk soon,
Andy
Yeah so my job is to create a l2tp connection between three mikrotik locations. My problem is that isp is giving me dynamic wan on all three. How would i solve that?
 
Yeah so my job is to create a l2tp connection between three mikrotik locations. My problem is that isp is giving me dynamic wan on all three. How would i solve that?
If it's an L2TP/IPsec, I assume you will use it for Client-Router connections.

In that case, I would recommend having a look at IP -> Cloud feature, then tick DDNS Enabled option and that will give you a permanent hostname (provided by MikroTik official) and the RouterOS will automatically maintain your dynamic IP for you.

So you can have a permanent address to connect to, the hostname will be something like xxxxxxxxxxxx.sn.mynetname.net which can be very useful when you want to connect to your router with a dynamic IP address.

I hope this works for you 👍
 
Thank you for the tutorial. Mikrotik's own pages are very confusing.
 
Hi Andy, VPN connected, and i can ping to router, but no access/ping to other local network.

RouterOS v6.45.5
 
Thank you Andy
I just solved the ping problem by adding proxy-arp to LAN interface. But still, i cant access shared local folder.
 
Thank you Andy
I just solved the ping problem by adding proxy-arp to LAN interface. But still, i cant access shared local folder.
Can you elaborate more about the way you access your shared local folder? Is that through a UNC? 🧐
 
Yes, i can access shared folder through UNC path, with computer name replaced by the IP address.
 
Yes, i can access shared folder through UNC path, with computer name replaced by the IP address.
That's more like DNS issue to me, does your PC DNS pointed to the MikroTik 🧐
 
Yes it is, with obtain automatically.
I can open any web config but not shared folder.
 
Yes it is, with obtain automatically.
I can open any web config but not shared folder.
Have you checked if there's any firewall on the file server? (such as Windows Firewall)
Can you ping the file server?
 
Yes i've checked firewall too and disable it. Still no luck. I can ping to any local address.
 
Thanks a lot Andy, problem solved.
Well there's a firewall rule blocking my smb port.
🤦‍♂️
 
Thanks a lot Andy, problem solved.
Well there's a firewall rule blocking my smb port.
🤦‍♂️
All good 👍
I'm glad to hear that your issue has been sorted 😃
 
Hello Andy,
Can you help me, in the past few days I have tried to configure L2TP server on Mikrotik 6.45 CHR (on AWS ec2), but the client cannot connect.
Thank you....

( I tried to follow the tutorial here: https://saputra.org/threads/mikroti...-server-tutorial-guide-for-routeros-v6-44.106 )
Hi Rony,

That error pops up when your system is not properly set up to connect to an L2TP server, thus the connection attempt fails even before you establish a connection with the server.

It is also linked to an incorrect configuration of your operating system like Windows 10 in this case, this generic error is thrown when the IPSec negotiation fails for the L2TP/IPSec connections.

The first thing I would do is to disable the AWS EC2 firewall and make sure all ports are being passed through to your MikroTik CHR instance 👍

Ensure that the pre-shared key is correct as well 🧐

Don't hesitate to let me know if you need further assistance 😉
 
Hello there,
So after reading 1, 2, 3, 4, 5 and this article and something keeps blocking me
Below the code that I used
Code:
/ip pool add name=vpn-pool ranges=192.168.1.15-192.168.1.20
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 remote-address=vpn-pool dns-server=192.168.1.254
/interface l2tp-server server set enabled=yes authentication=mschap1,mschap2,chap default-profile=ipsec_vpn use-ipsec=yes
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret=<SUPPERSECUREPASSWORD> peer=l2tpserver
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=aes-128-cdc,aes-256-cdc,aes-128-ctr pfs-group=modp1024
/ppp secret add name=<YOURVPNNAME> password=<YOURVPNPASSWORD> service=l2tp profile=ipsec_vpn
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"

This article code
Code:
/interface l2tp-server server set enabled=yes use-ipsec=required ipsec-secret=<SUPPERSECUREPASSWORD>
/ip pool add name=vpn_pool ranges=192.168.1.15-192.168.1.20
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 remote-address=vpn_pool
/ppp secret add name=<YOURVPNNAME> password=<YOURVPNPASSWORD> service=l2tp profile=ipsec_vpn
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"

RouterOS 6.45.6 (Stable)
What happens is that the connection is made, the Client LOCAL ip is 192.168.88.2 and it gets the IP of 192.168.1.20 from the Remote Router the DNS is the Remote Routers IP of 192.168.1.254
When I do a tracert to the Remote Routers IP the trace works
When I do a tracert to the Remote Routers WAN IP the trace works
The Issue is that i cannot accesses anything on the Remote side...
Suggestions to look at ?
 
 Short URL:
Back
Top