MikroTik L2TP over IPsec VPN Server Tutorial Guide for RouterOS v6.44+

Andy

Administrator
This is an updated tutorial from my previous RouterOS v6.43 L2TP/IPsec tutorial.
In RouterOS v6.44 there were major changes where they removed "main-l2tp" exchange-mode from the /ip ipsec peer.

But this means configuring L2TP/IPsec is even more simpler, just follow through my guide down below:
  1. Create the L2TP Server
    The commands below will:
    • Enable the L2TP Server;
    • Enable IPsec over L2TP;
    • Set your desired IPsec PSK.
    Rich (BB code):
    /interface l2tp-server server
    set enabled=yes
    set use-ipsec=required
    set ipsec-secret=<yourIPsecPSKhere>
  2. MikroTik will create IPsec Policies
    Screen Shot 2019-07-26 at 2.34.03 PM.png
    On the IPsec Peers tab, we can see the Dynamic IPsec Peer (Phase 1) has been active;
    As well as on the IPsec Policies tab, we can see the Dynamic IPsec Policy (Phase 2) has been active.
  3. Create a VPN Address Pool for the Client Devices
    The commands below will:
    • Add the start & end addresses to hand out for the L2TP sessions;
    • Note: These IP addresses can be any address range and I would recommend that they do not match existing IP address in the MikroTik.
    Rich (BB code):
    /ip pool
    add name=pool1-L2TP_users ranges=10.0.7.2-10.0.7.14
  4. Create a VPN User Profile to apply to L2TP clients
    Notes:
    • Local Address acts as Default Gateway for the L2TP Client.
      • Routers LAN IP Address
      • Pool Address Static Entry
      • Dynamic Selection from the Pool itself
    Rich (BB code):
    /ppp profile
    add name=profile1-L2TP_users local-address=10.0.7.1 remote-address=pool1-L2TP_users
    Still on this PPP Profile window:
    • If you go to the Protocols tab, you can adjust any protocols to suit.
    • On the Limits tab, you can set session timers & rate limits for clients, set timeout - maximum connection time, idle timeout - link termination after no activity, rate limit connection speeds, only one - can user have more than 1 connection or not.
    • Scripts on up and down, and many more.
  5. User Login Credentials
    Screen Shot 2019-07-26 at 3.06.37 PM.png
    Notes:
    • Name & Password are the login details.
    • Select L2TP as the Service
    • Profile to use for this users login.
    Rich (BB code):
    /ppp secret
    add name=Andy password=<yourVPNpassword> service=l2tp profile=profile1-L2TP_users
  6. Optionally: Check Firewall Rules
    Rich (BB code):
    /ip firewall filter
    add chain=input protocol=udp dst-port=500,1701,4500 in-interface=ether1-GTW
  7. Our L2TP over IPsec Policy is now complete
I hope this tutorial works for you, I tested this on my live router on the datacenter and it worked very well for me 👍

If you have any questions or comment, feel free to post down below 🍻
 

dusandivic

New member
Hey Andy, I'm looking for a tutorial on l2tp ipsec with all dynamic ip's. Im new in networking and am strugling with it. Hope you could guide me a little, is this tuto for me or can you at least point me to right direction. thanks
 

Andy

Administrator
Hey Andy, I'm looking for a tutorial on l2tp ipsec with all dynamic ip's. Im new in networking and am strugling with it. Hope you could guide me a little, is this tuto for me or can you at least point me to right direction. thanks
Hi Dusan,

Sure, I'd happy to help 👍
Just tell me about your topology and elaborate more about what are you trying to achieve here 🤷‍♂️

Talk soon,
Andy
 

dusandivic

New member
Hi Dusan,

Sure, I'd happy to help 👍
Just tell me about your topology and elaborate more about what are you trying to achieve here 🤷‍♂️

Talk soon,
Andy
Yeah so my job is to create a l2tp connection between three mikrotik locations. My problem is that isp is giving me dynamic wan on all three. How would i solve that?
 

Andy

Administrator
Yeah so my job is to create a l2tp connection between three mikrotik locations. My problem is that isp is giving me dynamic wan on all three. How would i solve that?
If it's an L2TP/IPsec, I assume you will use it for Client-Router connections.

In that case, I would recommend having a look at IP -> Cloud feature, then tick DDNS Enabled option and that will give you a permanent hostname (provided by MikroTik official) and the RouterOS will automatically maintain your dynamic IP for you.

So you can have a permanent address to connect to, the hostname will be something like xxxxxxxxxxxx.sn.mynetname.net which can be very useful when you want to connect to your router with a dynamic IP address.

I hope this works for you 👍
 

Anton

Member
Hi Andy, VPN connected, and i can ping to router, but no access/ping to other local network.

RouterOS v6.45.5
 

Anton

Member
Thank you Andy
I just solved the ping problem by adding proxy-arp to LAN interface. But still, i cant access shared local folder.
 

Andy

Administrator
Thank you Andy
I just solved the ping problem by adding proxy-arp to LAN interface. But still, i cant access shared local folder.
Can you elaborate more about the way you access your shared local folder? Is that through a UNC? 🧐
 

Andy

Administrator
Yes it is, with obtain automatically.
I can open any web config but not shared folder.
Have you checked if there's any firewall on the file server? (such as Windows Firewall)
Can you ping the file server?
 

Andy

Administrator
Hello Andy,
Can you help me, in the past few days I have tried to configure L2TP server on Mikrotik 6.45 CHR (on AWS ec2), but the client cannot connect.
Thank you....

( I tried to follow the tutorial here: https://saputra.org/threads/mikrotik-l2tp-over-ipsec-vpn-server-tutorial-guide-for-routeros-v6-44.106 )
Hi Rony,

That error pops up when your system is not properly set up to connect to an L2TP server, thus the connection attempt fails even before you establish a connection with the server.

It is also linked to an incorrect configuration of your operating system like Windows 10 in this case, this generic error is thrown when the IPSec negotiation fails for the L2TP/IPSec connections.

The first thing I would do is to disable the AWS EC2 firewall and make sure all ports are being passed through to your MikroTik CHR instance 👍

Ensure that the pre-shared key is correct as well 🧐

Don't hesitate to let me know if you need further assistance 😉
 

Hav0c

Member
Hello there,
So after reading 1, 2, 3, 4, 5 and this article and something keeps blocking me
Below the code that I used
Code:
/ip pool add name=vpn-pool ranges=192.168.1.15-192.168.1.20
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 remote-address=vpn-pool dns-server=192.168.1.254
/interface l2tp-server server set enabled=yes authentication=mschap1,mschap2,chap default-profile=ipsec_vpn use-ipsec=yes
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret=<SUPPERSECUREPASSWORD> peer=l2tpserver
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=aes-128-cdc,aes-256-cdc,aes-128-ctr pfs-group=modp1024
/ppp secret add name=<YOURVPNNAME> password=<YOURVPNPASSWORD> service=l2tp profile=ipsec_vpn
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
This article code
Code:
/interface l2tp-server server set enabled=yes use-ipsec=required ipsec-secret=<SUPPERSECUREPASSWORD>
/ip pool add name=vpn_pool ranges=192.168.1.15-192.168.1.20
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 remote-address=vpn_pool
/ppp secret add name=<YOURVPNNAME> password=<YOURVPNPASSWORD> service=l2tp profile=ipsec_vpn
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
RouterOS 6.45.6 (Stable)
What happens is that the connection is made, the Client LOCAL ip is 192.168.88.2 and it gets the IP of 192.168.1.20 from the Remote Router the DNS is the Remote Routers IP of 192.168.1.254
When I do a tracert to the Remote Routers IP the trace works
When I do a tracert to the Remote Routers WAN IP the trace works
The Issue is that i cannot accesses anything on the Remote side...
Suggestions to look at ?
 
Top