Setup MikroTik as L2TP/IPsec Dial-in VPN Server with all traffics are being routed

Andy

Administrator
Here we will be configuring a dial-in VPN using L2TP with IPsec.
Update 26/07/2019: If you're using RouterOS v6.44 or above, please click here for the new way of implementing L2TP/IPsec.
In this example, we will be using 192.168.7.0/24 for the L2TP clients and for the LAN.

The configuration will detail the following:
  • Enable L2TP server
  • Create a DHCP pool
  • Create an L2TP profile
  • Create a sample user
  • Configure IPsec Peer and Proposal
  • Create firewall input rule to accept the L2TP connections
  • Configure connectivity between dial-in-clients and LAN
Enable L2TP server
Code:
/interface l2tp-server server
set enabled=yes
DHCP Pool and L2TP profile
Next, we will create a PPP profile which will be used when we create our users.

Here we select the IP used by the router as well as selecting a pool which we will also configure to give out the address to our dial-in VPN users. Be sure not to include the IP you the router (local IP) in the DHCP range which is created in the pool.
Code:
/ip pool
add name=dialin_pool1 ranges=192.168.7.100-192.168.7.199

/ppp profile
add bridge=<your-LAN-bridge> local-address=192.168.7.1 name=dialin remote-address="dialin_pool1"
Create user
'Secrets' is where we create our users. Here we will create the user and password as well as selecting our profile created earlier.
Code:
/ppp secret
add name=test password=test profile=dialin service=l2tp
IPsec peer and proposal
This is the IPsec part of the setup and the peer and proposal are configured here.

For the IPsec proposal, we can just use the default one, but if you are unsure, enter the command below:
Code:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
Code:
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override secret=<your-L2TP-Preshared-Key-here>
Hint: by using port-override, the IPsec phase 2 will be automatically generated by the MikroTik router.

Firewall rules
Here we create the firewall rules to accept the L2P connection from our dial-in VPN users. In our example these connections are coming in over the PPPoE interface.
Code:
/ip firewall filter
add action=accept chain=input comment="L2TP accept ISAKMP/IKE" dst-port=500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="L2TP accept IPsec NAT Traversal" dst-port=4500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="L2TP accept L2TP" dst-port=1701 in-interface=pppoe-out1 protocol=udp
Connectivity between dial-in clients and LAN

The connection between dial-in VPN clients and the LAN can be done by either using proxy arp or by routing.
  • Routing
    This does not require any configuration as the router will naturally route between connected subnets.
    The only thing to remember here is to have a different subnet for the dial-in VPN clients to the LAN.
  • Proxy arp
    Here we set proxy-arp on LAN Bridge.
    The LAN and L2TP clients use the same subnet.
Code:
/interface bridge
add arp=proxy-arp name=bridge-dialin

/ip address
add address=192.168.7.1/24 interface=bridge-dialin network=192.168.7.0
I tested this on my live office router (RouterOS v6.43.12), and it worked very well for me without having to do the last part :)
This configuration can be used on top of your existing network without breaking or conflicting with your other config, so this is pretty safe to implement.
 

vdias

New member
Not working on v6.44.3...
This line is not valid...
/ip ipsec peer add address="0.0.0.0/0" exchange-mode="main-l2tp" generate-policy="port-override" secret=XXXXXXXXXXXXX
 

Andy

Administrator
Not working on v6.44.3...
This line is not valid...
/ip ipsec peer add address="0.0.0.0/0" exchange-mode="main-l2tp" generate-policy="port-override" secret=XXXXXXXXXXXXX
Hi @vdias,

Upon reviewing the MikroTik changelog, I believe that was caused by the major changes that's implemented on the version v6.44

What's new in 6.44 (2019-Feb-25 14:11):

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (RADIUS communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
----------------------
I personally not on the MikroTik stable release tree, but I only use long-term release tree. Try to use this command instead and see if it works:
Code:
/ip ipsec peer add address="0.0.0.0/0" exchange-mode="main" generate-policy="port-override" secret=XXXXXXXXXXXXX
Cheers 🍻
 

vdias

New member
[vdias@Router-Core] > /ip ipsec peer add address="0.0.0.0/0" exchange-mode="main"
comment copy-from disabled local-address name passive port profile send-initial-contact


No "secret" or "generate-policy" available...
 
Last edited:

Andy

Administrator
[vdias@Router-Core] > /ip ipsec peer add address="0.0.0.0/0" exchange-mode="main"
comment copy-from disabled local-address name passive port profile send-initial-contact


No "secret" or "generate-policy" available...
Try to disable the "use-ipsec" option under L2TP server settings. Make sure you have only one static IPsec peer for 0.0.0.0/0 and exchange-mode=main. Assign multiple identities for this peer with different pre-shared-key secrets. Lastly, make sure only IPsec encrypted traffic is allowed for L2TP traffic.

You can't mix the "use-ipsec" option under L2TP settings with static IPsec configuration. The L2TP setting will take precedence over all static configuration. So you either go with the dynamic configuration or the static only.

On RouterOS v6.44 we configure the IPsec secret for L2TP in PPP -> L2TP Server 👍
Simply set Use IPsec to 'required' and fill in your IPsec secret there.

Have a look at the screenshot down below:
Screen Shot 2019-07-19 at 10.13.38 AM.png
 
Top