MikroTik L2TP over IPsec VPN Server Tutorial Guide for RouterOS v6.44+

[Andy]

Hello there,
So after reading 1, 2, 3, 4, 5 and this article and something keeps blocking me
Below the code that I used

/ip pool add name=vpn-pool ranges=192.168.1.15-192.168.1.20
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 remote-address=vpn-pool dns-server=192.168.1.254
/interface l2tp-server server set enabled=yes authentication=mschap1,mschap2,chap default-profile=ipsec_vpn use-ipsec=yes
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret=<SUPPERSECUREPASSWORD> peer=l2tpserver
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=aes-128-cdc,aes-256-cdc,aes-128-ctr pfs-group=modp1024
/ppp secret add name=<YOURVPNNAME> password=<YOURVPNPASSWORD> service=l2tp profile=ipsec_vpn
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"

This article code

/interface l2tp-server server set enabled=yes use-ipsec=required ipsec-secret=<SUPPERSECUREPASSWORD>
/ip pool add name=vpn_pool ranges=192.168.1.15-192.168.1.20
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 remote-address=vpn_pool
/ppp secret add name=<YOURVPNNAME> password=<YOURVPNPASSWORD> service=l2tp profile=ipsec_vpn
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"

RouterOS 6.45.6 (Stable)
What happens is that the connection is made, the Client LOCAL ip is 192.168.88.2 and it gets the IP of 192.168.1.20 from the Remote Router the DNS is the Remote Routers IP of 192.168.1.254
When I do a tracert to the Remote Routers IP the trace works
When I do a tracert to the Remote Routers WAN IP the trace works
The Issue is that i cannot accesses anything on the Remote side...
Suggestions to look at ?

Hi @Hav0c,

Can you ping 192.168.1.254 and see you get any response?
And also try to ping the other devices on the remote network.

Check if there's any other firewall rule that overrides the IPsec rules?

 

[Hav0c]

Hi @Andy
The two firewall rules

/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"

Are at rule order 0 and 1.
I have disabled all my drop rules same results connect but does not allow connection to shared folders.

All tests was done from Client side

Ping a PC on Remote network = Fail
Tracert Client router IP = Works
Tracert Clients WAN Gateway IP (Internet IP) = Shows Remote network router IP then Clients WAN Gateway IP
Ping Remote Networks WAN IP = Works
Tracert Remote WAN IP = Shows Clients network router IP then Remote WAN IP



UPDATE:
Out of frustration I defaulted all the router (2 Mikrotiks and 1 UBNT ERX) and used the default setup only all.
Added your examples script, connects but still does not allow me access to any shared files.
Defaulted all the router again used the default setup again added my UBNT ERX with IPSEC setup works 100% as should
So this concludes that something is not correct with the Mikrotiks even using default configs.

 

[Andy]

Hi @Andy
The two firewall rules

/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"

Are at rule order 0 and 1.
I have disabled all my drop rules same results connect but does not allow connection to shared folders.

All tests was done from Client side

Ping a PC on Remote network = Fail
Tracert Client router IP = Works
Tracert Clients WAN Gateway IP (Internet IP) = Shows Remote network router IP then Clients WAN Gateway IP
Ping Remote Networks WAN IP = Works
Tracert Remote WAN IP = Shows Clients network router IP then Remote WAN IP



UPDATE:
Out of frustration I defaulted all the router (2 Mikrotiks and 1 UBNT ERX) and used the default setup only all.
Added your examples script, connects but still does not allow me access to any shared files.
Defaulted all the router again used the default setup again added my UBNT ERX with IPSEC setup works 100% as should
So this concludes that something is not correct with the Mikrotiks even using default configs.

I doubt that, you could try downgrading your Router OS to v6.44.5 (use the long-term branch update tree)

You can downgrade by uploading the Router OS to the router and then use the following commands:

/system package downgrade; /system reboot;
Reboot, yes? [y/N]:

 

[DAT]

Hi @Andy
i have this topology to deploy and not bin able to work since this morning please can u assist?
Mikrotik 6.45

 

[Hav0c]

I doubt that, you could try downgrading your Router OS to v6.44.5 (use the long-term branch update tree)

You can downgrade by uploading the Router OS to the router and then use the following commands:

/system package downgrade; /system reboot;
Reboot, yes? [y/N]:

So did what was asked and rolled back the Firmware to RouterOS v6.44.5 LTS

Attempt 2

/ppp profile add name=ipsec_vpn local-address=192.168.1.254 dns-server=192.168.1.254
/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2,chap
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret=Test peer=l2tpserver
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024
/ppp secret add name=Test password=password service=l2tp profile=ipsec_vpn remote-address=192.168.1.15
/ip firewall filter add chain=input action=accept protocol=udp port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
/ip firewall filter add chain=input action=accept protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"

Attempt 2

/interface l2tp-server server set enabled=yes authentication=mschap1,mschap2,chap use-ipsec=required ipsec-secret=Test
/ip pool add name=vpn_pool ranges=192.168.1.2-192.168.1.5 comment="L2TP VPN IP Pool"
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 remote-address=vpn_pool
/ppp secret add name=Test password=password service=l2tp profile=ipsec_vpn
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"

Site A; RB 750
Site B; Hex lite RB 750r2
"internet"; ERX

ALL 3 routers are defaulted nothing but the IPs was changed.
After IPs was changed, the routers were rebooted.
On site B the above script was run. Rebooted to make sure that settings stick.
Try to connect; The connection was made successfully.

On site A the above script was run but the IPs changed to the relevant IP ranges of Site B. Rebooted to make sure that settings stick
Try to connect; The connection is made successfully.

In both cases none of the shared folders can be accessed.


Factory defaulted both the Mikrotiks.
Change only ONEs IP to represent the "internet"
setup IPSEC on the ERX (Site A) connect from Site B and all works, can access the shared folders and all.

This is getting really really frustrating

 

[Andy]

So did what was asked and rolled back the Firmware to RouterOS v6.44.5 LTS

Attempt 2

/ppp profile add name=ipsec_vpn local-address=192.168.1.254 dns-server=192.168.1.254
/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2,chap
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret=Test peer=l2tpserver
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024
/ppp secret add name=Test password=password service=l2tp profile=ipsec_vpn remote-address=192.168.1.15
/ip firewall filter add chain=input action=accept protocol=udp port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
/ip firewall filter add chain=input action=accept protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"

Attempt 2

/interface l2tp-server server set enabled=yes authentication=mschap1,mschap2,chap use-ipsec=required ipsec-secret=Test
/ip pool add name=vpn_pool ranges=192.168.1.2-192.168.1.5 comment="L2TP VPN IP Pool"
/ppp profile add name=ipsec_vpn local-address=192.168.1.254 remote-address=vpn_pool
/ppp secret add name=Test password=password service=l2tp profile=ipsec_vpn
/ip firewall filter add action=accept chain=input protocol=udp dst-port=500,1701,4500 comment="Allow L2TP VPN (500,4500,1701/udp)"
/ip firewall filter add action=accept chain=input protocol=ipsec-esp comment="Allow L2TP VPN (ipsec-esp)"

Site A; RB 750
Site B; Hex lite RB 750r2
"internet"; ERX

ALL 3 routers are defaulted nothing but the IPs was changed.
After IPs was changed, the routers were rebooted.
On site B the above script was run. Rebooted to make sure that settings stick.
Try to connect; The connection was made successfully.

On site A the above script was run but the IPs changed to the relevant IP ranges of Site B. Rebooted to make sure that settings stick
Try to connect; The connection is made successfully.

In both cases none of the shared folders can be accessed.


Factory defaulted both the Mikrotiks.
Change only ONEs IP to represent the "internet"
setup IPSEC on the ERX (Site A) connect from Site B and all works, can access the shared folders and all.

This is getting really really frustrating

If you can ping the remote computers without issues, check your Windows Firewall (you can also temporarily turn it off during troubleshooting to determine whether it's a Firewall issue, or IPsec tunnel issue)

Looking at your attached topology, kindly try to build a tunnel between 192.168.88.0/24 and 192.168.1.0/24 network directly and see how it goes?
So each router will have 2 IPsec tunnels.

 

[Hav0c]

If you can ping the remote computers without issues, check your Windows Firewall (you can also temporarily turn it off during troubleshooting to determine whether it's a Firewall issue, or IPsec tunnel issue)

Looking at your attached topology, kindly try to build a tunnel between 192.168.88.0/24 and 192.168.1.0/24 network directly and see how it goes?
So each router will have 2 IPsec tunnels.

Both sides Firewalls are off the whole time, do not have AV firewalls

Pinged the following from the PC/Laptop itself
Side A
192.168.88.15 --> (192.168.99.3 --> 192.168.99.2) internet : Works
192.168.88.15 --> 192.168.1.5: Fail

Side B
192.168.1.5--> ( 192.168.99.2 --> 192.168.99.3) internet : Works
192.168.1.5 --> 192.168.88.15: Fail

Pinged the following using the Mikrotik Ping tool
Side A
(192.168.99.3 --> 192.168.99.2) internet : Works
192.168.1.5 : Fail

Side B
( 192.168.99.2 --> 192.168.99.3) internet : Works
192.168.88.15: Fail


There will be only one IPsec tunnels from A to B.
Tried creating a tunnel from A to B and B to A both have the exact same results,
Connects gets the correct Remote IP and DNS(remote sides Gateway) but does not allow connection to the shared folders OR allow of pining the connected Side local PCs/Laptops

Just noted that I could upload my Configs.
There are no passwords neded to log into the routers.
Routers are 88.1 and 1.1
DHCP is enabled

ipsec-secret=Test
/ppp secret add name=Test password=password

 

[Andy]

Both sides Firewalls are off the whole time, do not have AV firewalls

Pinged the following from the PC/Laptop itself
Side A
192.168.88.15 --> (192.168.99.3 --> 192.168.99.2) internet : Works
192.168.88.15 --> 192.168.1.5: Fail

Side B
192.168.1.5--> ( 192.168.99.2 --> 192.168.99.3) internet : Works
192.168.1.5 --> 192.168.88.15: Fail

Pinged the following using the Mikrotik Ping tool
Side A
(192.168.99.3 --> 192.168.99.2) internet : Works
192.168.1.5 : Fail

Side B
( 192.168.99.2 --> 192.168.99.3) internet : Works
192.168.88.15: Fail


There will be only one IPsec tunnels from A to B.
Tried creating a tunnel from A to B and B to A both have the exact same results,
Connects gets the correct Remote IP and DNS(remote sides Gateway) but does not allow connection to the shared folders OR allow of pining the connected Side local PCs/Laptops

Just noted that I could upload my Configs.
There are no passwords neded to log into the routers.
Routers are 88.1 and 1.1
DHCP is enabled

ipsec-secret=Test
/ppp secret add name=Test password=password

Juat FYI — In MikroTik, there is no ipsec initiator. As long as you created ipsec on both router then it should work.

I'm currently not in town, will definitely have a look at your config later on this weekend.

If you could go to MikroTik Terminal and then type /export then copy paste the content here, that would be great. (Please remove sensitive information such as passwords, etc)

Cheers
Andy

 

[Hav0c]

Juat FYI — In MikroTik, there is no ipsec initiator. As long as you created ipsec on both router then it should work.

I'm currently not in town, will definitely have a look at your config later on this weekend.

If you could go to MikroTik Terminal and then type /export then copy paste the content here, that would be great. (Please remove sensitive information such as passwords, etc)

Cheers
Andy

Yes "it should" work. Think we all at one point in time uttered the line "it should work" but then it does not
As asked below are the two model I used to test the IPSEC configs with the same script

Spoiler: model = 750

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.5
add comment="L2TP VPN IP Pool" name=vpn_pool ranges=192.168.1.2-192.168.1.5
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=192.168.1.1 name=ipsec_vpn remote-address=vpn_pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 enabled=yes ipsec-secret=Test use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="Allow L2TP VPN (ipsec-esp)" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ppp secret
add name=Test password=password profile=ipsec_vpn service=l2tp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Spoiler: RouterBOARD 750 r2

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.5
add comment="L2TP VPN IP Pool" name=vpn_pool ranges=192.168.88.2-192.168.88.5
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=192.168.88.1 name=ipsec_vpn remote-address=vpn_pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 enabled=yes ipsec-secret=Test use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="Allow L2TP VPN (ipsec-esp)" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ppp secret
add name=Test password=password profile=ipsec_vpn service=l2tp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 

[Andy]

@Hav0c: I sent you a PM. Cheers

 

[fcserg]

Hi, Andy.
I found your article because I had trouble with L2TP/IPSec Mikrotik server in AWS. Everything seems clear, but Windows clients can't connect.
From IOS or MacOS everything is alright, but Win10 can't connect at all.
Maybe you can give advice about where to go?

Thanks.

 

[Andy]

Hi, Andy.
I found your article because I had trouble with L2TP/IPSec Mikrotik server in AWS. Everything seems clear, but Windows clients can't connect.
From IOS or MacOS everything is alright, but Win10 can't connect at all.
Maybe you can give advice about where to go?

Thanks.

Hi @fcserg,

Here's my L2TP/IPsec VPN setting on my Windows 10.

What's the error log on MikroTik says?

Cheers

 

[fcserg]

Hi, Andy.

And nothing more.

 

[Andy]

Hi, Andy.
View attachment 186
And nothing more.

Try rekeying your preshared key and make sure they're matched.

Do you have similar Windows 10 VPN configuration as mine above?

 

[fcserg]

Try rekeying your preshared key and make sure they're matched.

Do you have similar Windows 10 VPN configuration as mine above?

Of course, all the basic stuff I checked in the first thing.

As I said before, iOS client and MacOS client could connect without any troubles with the same login/password/psk combination.

 

[Andy]

Of course, all the basic stuff I checked in the first thing.

As I said before, iOS client and MacOS client could connect without any troubles with the same login/password/psk combination.

I had similar issue with yours before, it's a site-to-site tunnel and they're using the same key, the problem was one site works and another site doesn't work, I rekeyed and both now working fine. There must be a memory issue on the RouterOS.

By the way, what RouterOS version are you running?

 

[fcserg]

I had similar issue with yours before, it's a site-to-site tunnel and they're using the same key, the problem was one site works and another site doesn't work, I rekeyed and both now working fine. There must be a memory issue on the RouterOS.

By the way, what RouterOS version are you running?

It's 6.64.6, latest on CHR.

 

[Fatinizzati]

This is an updated tutorial from my previous RouterOS v6.43 L2TP/IPsec tutorial.
In RouterOS v6.44 there were major changes where they removed "main-l2tp" exchange-mode from the /ip ipsec peer.

But this means configuring L2TP/IPsec is even more simpler, just follow through my guide down below:

1. Create the L2TP Server
   The commands below will:
   • Enable the L2TP Server;
   • Enable IPsec over L2TP;
   • Set your desired IPsec PSK.

2. /interface l2tp-server server
   set enabled=yes
   set use-ipsec=required
   set ipsec-secret=<yourIPsecPSKhere>

3. MikroTik will create IPsec Policies
   View attachment 93
   On the IPsec Peers tab, we can see the Dynamic IPsec Peer (Phase 1) has been active;
   As well as on the IPsec Policies tab, we can see the Dynamic IPsec Policy (Phase 2) has been active.
4. Create a VPN Address Pool for the Client Devices
   The commands below will:
   • Add the start & end addresses to hand out for the L2TP sessions;
   • Note: These IP addresses can be any address range and I would recommend that they do not match existing IP address in the MikroTik.

5. /ip pool
   add name=pool1-L2TP_users ranges=10.0.7.2-10.0.7.14

6. Create a VPN User Profile to apply to L2TP clients
   Notes:
   • Local Address acts as Default Gateway for the L2TP Client.
     • Routers LAN IP Address
     • Pool Address Static Entry
     • Dynamic Selection from the Pool itself

7. /ppp profile
   add name=profile1-L2TP_users local-address=10.0.7.1 remote-address=pool1-L2TP_users

   Still on this PPP Profilewindow:
   • If you go to the Protocols tab, you can adjust any protocols to suit.
   • On the Limits tab, you can set session timers & rate limits for clients, set timeout - maximum connection time, idle timeout - link termination after no activity, rate limit connection speeds, only one - can user have more than 1 connection or not.
   • Scripts on up and down, and many more.
8. User Login Credentials
   View attachment 94
   Notes:
   • Name & Password are the login details.
   • Select L2TP as the Service
   • Profile to use for this users login.

9. /ppp secret
   add name=Andy password=<yourVPNpassword> service=l2tp profile=profile1-L2TP_users

10. Optionally: Check Firewall Rules
    

    /ip firewall filter
    add chain=input protocol=udp dst-port=500,1701,4500 in-interface=ether1-GTW

11. Our L2TP over IPsec Policy is now complete

I hope this tutorial works for you, I tested this on my live router on the datacenter (running RouterOS v6.44.6) and it worked very well for me

If you have any questions or comments, feel free to post down below

Hey Andy,

Would you like to help me on the issue to create dial up from mikrotik to FortiGate? i need to create VPN tunnel but my Fortigate is dont have dynamic only have private network.

Thanks,
Fatin

 

[Andy]

Hey Andy,

Would you like to help me on the issue to create dial up from mikrotik to FortiGate? i need to create VPN tunnel but my Fortigate is dont have dynamic only have private network.

Thanks,
Fatin

Hi @Fatinizzati,

Thanks for reaching out. Setting up a VPN tunnel between a MikroTik router and a FortiGate device, especially when dealing with a non-dynamic, private network on the FortiGate side, can be challenging but feasible.

Here's a step-by-step approach to help you get started:

1. Configure MikroTik for L2TP/IPsec VPN: Since you're already familiar with MikroTik, ensure your L2TP over IPsec VPN is properly set up on your MikroTik device. This involves creating an L2TP server, setting up IPsec, defining an IP pool for VPN clients, and creating user profiles.
2. FortiGate Configuration: On your FortiGate, you'll need to create a new IPsec tunnel. This involves specifying the peer IP (your MikroTik's public IP), setting up the phase 1 and phase 2 proposals, and defining your pre-shared key. Since your FortiGate is on a private network, ensure that NAT traversal is correctly configured to handle the private IP scenario.
3. Routing and Policies: On both MikroTik and FortiGate, set up necessary routing rules and firewall policies to allow traffic to flow through the VPN tunnel. Pay special attention to any NAT settings that might be needed, especially if you're dealing with a private IP on the FortiGate side.
4. Testing and Troubleshooting: After configuration, test the VPN tunnel by attempting to connect from a client on the MikroTik side. If you encounter issues, use the logging features on MikroTik and FortiGate to troubleshoot. Common issues might include mismatched IPsec settings or routing/firewall rules that need adjusting.

Remember, the specific steps can vary depending on your network setup and the versions of the devices. If you run into specific issues or need further guidance, feel free to provide more details, and I'll be happy to assist further.

Cheers!