Setup MikroTik as L2TP/IPsec Dial-in VPN Server with all traffics are being routed

Andy

Administrator
Here we will be configuring a dial-in VPN using L2TP with IPsec.

In this example, we will be using 192.168.7.0/24 for the L2TP clients and for the LAN.

The configuration will detail the following:
  • Enable L2TP server
  • Create a DHCP pool
  • Create an L2TP profile
  • Create a sample user
  • Configure IPsec Peer and Proposal
  • Create firewall input rule to accept the L2TP connections
  • Configure connectivity between dial-in-clients and LAN
Enable L2TP server
Code:
/interface l2tp-server server
set enabled=yes
DHCP Pool and L2TP profile
Next, we will create a PPP profile which will be used when we create our users.

Here we select the IP used by the router as well as selecting a pool which we will also configure to give out the address to our dial-in VPN users. Be sure not to include the IP you the router (local IP) in the DHCP range which is created in the pool.
Code:
/ip pool
add name=dialin_pool1 ranges=192.168.7.100-192.168.7.199

/ppp profile
add bridge=<your-LAN-bridge> local-address=192.168.7.1 name=dialin remote-address="dialin_pool1"
Create user
'Secrets' is where we create our users. Here we will create the user and password as well as selecting our profile created earlier.
Code:
/ppp secret
add name=test password=test profile=dialin service=l2tp
IPsec peer and proposal
This is the IPsec part of the setup and the peer and proposal are configured here.

For the IPsec proposal, we can just use the default one, but if you are unsure, enter the command below:
Code:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
Code:
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override secret=<your-L2TP-Preshared-Key-here>
Hint: by using port-override, the IPsec phase 2 will be automatically generated by the MikroTik router.

Firewall rules
Here we create the firewall rules to accept the L2P connection from our dial-in VPN users. In our example these connections are coming in over the PPPoE interface.
Code:
/ip firewall filter
add action=accept chain=input comment="L2TP accept ISAKMP/IKE" dst-port=500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="L2TP accept IPsec NAT Traversal" dst-port=4500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="L2TP accept L2TP" dst-port=1701 in-interface=pppoe-out1 protocol=udp
Connectivity between dial-in clients and LAN

The connection between dial-in VPN clients and the LAN can be done by either using proxy arp or by routing.
  • Routing
    This does not require any configuration as the router will naturally route between connected subnets.
    The only thing to remember here is to have a different subnet for the dial-in VPN clients to the LAN.
  • Proxy arp
    Here we set proxy-arp on LAN Bridge.
    The LAN and L2TP clients use the same subnet.
Code:
/interface bridge
add arp=proxy-arp name=bridge-dialin

/ip address
add address=192.168.7.1/24 interface=bridge-dialin network=192.168.7.0
I tested this on my live office router (RouterOS v6.43.12), and it worked very well for me without having to do the last part :)
This configuration can be used on top of your existing network without breaking or conflicting with your other config, so this is pretty safe to implement.
 
Top