MikroTik L2TP over IPsec VPN Server Tutorial Guide for RouterOS v6.44+

Andy

Administrator
This is an updated tutorial from my previous RouterOS v6.43 L2TP/IPsec tutorial.
In RouterOS v6.44 there were major changes where they removed "main-l2tp" exchange-mode from the /ip ipsec peer.

But this means configuring L2TP/IPsec is even more simpler, just follow through my guide down below:
  1. Create the L2TP Server
    The commands below will:
    • Enable the L2TP Server;
    • Enable IPsec over L2TP;
    • Set your desired IPsec PSK.
    Rich (BB code):
    /interface l2tp-server server
    set enabled=yes
    set use-ipsec=required
    set ipsec-secret=<yourIPsecPSKhere>
  2. MikroTik will create IPsec Policies
    Screen Shot 2019-07-26 at 2.34.03 PM.png
    On the IPsec Peers tab, we can see the Dynamic IPsec Peer (Phase 1) has been active;
    As well as on the IPsec Policies tab, we can see the Dynamic IPsec Policy (Phase 2) has been active.
  3. Create a VPN Address Pool for the Client Devices
    The commands below will:
    • Add the start & end addresses to hand out for the L2TP sessions;
    • Note: These IP addresses can be any address range and I would recommend that they do not match existing IP address in the MikroTik.
    Rich (BB code):
    /ip pool
    add name=pool1-L2TP_users ranges=10.0.7.2-10.0.7.14
  4. Create a VPN User Profile to apply to L2TP clients
    Notes:
    • Local Address acts as Default Gateway for the L2TP Client.
      • Routers LAN IP Address
      • Pool Address Static Entry
      • Dynamic Selection from the Pool itself
    Rich (BB code):
    /ppp profile
    add name=profile1-L2TP_users local-address=10.0.7.1 remote-address=pool1-L2TP_users
    Still on this PPP Profile window:
    • If you go to the Protocols tab, you can adjust any protocols to suit.
    • On the Limits tab, you can set session timers & rate limits for clients, set timeout - maximum connection time, idle timeout - link termination after no activity, rate limit connection speeds, only one - can user have more than 1 connection or not.
    • Scripts on up and down, and many more.
  5. User Login Credentials
    Screen Shot 2019-07-26 at 3.06.37 PM.png
    Notes:
    • Name & Password are the login details.
    • Select L2TP as the Service
    • Profile to use for this users login.
    Rich (BB code):
    /ppp secret
    add name=Andy password=<yourVPNpassword> service=l2tp profile=profile1-L2TP_users
  6. Optionally: Check Firewall Rules
    Rich (BB code):
    /ip firewall filter
    add chain=input protocol=udp dst-port=500,1701,4500 in-interface=ether1-GTW
  7. Our L2TP over IPsec Policy is now complete
I hope this tutorial works for you, I tested this on my live router on the datacenter and it worked very well for me 👍

If you have any questions or comment, feel free to post down below 🍻
 

dusandivic

New member
Hey Andy, I'm looking for a tutorial on l2tp ipsec with all dynamic ip's. Im new in networking and am strugling with it. Hope you could guide me a little, is this tuto for me or can you at least point me to right direction. thanks
 

Andy

Administrator
Hey Andy, I'm looking for a tutorial on l2tp ipsec with all dynamic ip's. Im new in networking and am strugling with it. Hope you could guide me a little, is this tuto for me or can you at least point me to right direction. thanks
Hi Dusan,

Sure, I'd happy to help 👍
Just tell me about your topology and elaborate more about what are you trying to achieve here 🤷‍♂️

Talk soon,
Andy
 

dusandivic

New member
Hi Dusan,

Sure, I'd happy to help 👍
Just tell me about your topology and elaborate more about what are you trying to achieve here 🤷‍♂️

Talk soon,
Andy
Yeah so my job is to create a l2tp connection between three mikrotik locations. My problem is that isp is giving me dynamic wan on all three. How would i solve that?
 

Andy

Administrator
Yeah so my job is to create a l2tp connection between three mikrotik locations. My problem is that isp is giving me dynamic wan on all three. How would i solve that?
If it's an L2TP/IPsec, I assume you will use it for Client-Router connections.

In that case, I would recommend having a look at IP -> Cloud feature, then tick DDNS Enabled option and that will give you a permanent hostname (provided by MikroTik official) and the RouterOS will automatically maintain your dynamic IP for you.

So you can have a permanent address to connect to, the hostname will be something like xxxxxxxxxxxx.sn.mynetname.net which can be very useful when you want to connect to your router with a dynamic IP address.

I hope this works for you 👍
 
Top