- User ID
- 1
- Joined
- 7 Jan 2019
- Messages
- 1,305
- Reaction score
- 87
- Points
- 48
Here we will be configuring a dial-in VPN using L2TP with IPsec.
In this example, we will be using 192.168.7.0/24 for the L2TP clients and for the LAN.
The configuration will detail the following:
DHCP Pool and L2TP profile
Next, we will create a PPP profile which will be used when we create our users.
Here we select the IP used by the router as well as selecting a pool which we will also configure to give out the address to our dial-in VPN users. Be sure not to include the IP you the router (local IP) in the DHCP range which is created in the pool.
Create user
'Secrets' is where we create our users. Here we will create the user and password as well as selecting our profile created earlier.
IPsec peer and proposal
This is the IPsec part of the setup and the peer and proposal are configured here.
For the IPsec proposal, we can just use the default one, but if you are unsure, enter the command below:
Hint: by using port-override, the IPsec phase 2 will be automatically generated by the MikroTik router.
Firewall rules
Here we create the firewall rules to accept the L2P connection from our dial-in VPN users. In our example these connections are coming in over the PPPoE interface.
I tested this on my live office router (RouterOS v6.43.12), and it worked very well for me without having to do the last part
This configuration can be used on top of your existing network without breaking or conflicting with your other config, so this is pretty safe to implement.
Update 26/07/2019: If you're using RouterOS v6.44 or above, please click here for the new way of implementing L2TP/IPsec.
In this example, we will be using 192.168.7.0/24 for the L2TP clients and for the LAN.
The configuration will detail the following:
- Enable L2TP server
- Create a DHCP pool
- Create an L2TP profile
- Create a sample user
- Configure IPsec Peer and Proposal
- Create firewall input rule to accept the L2TP connections
- Configure connectivity between dial-in-clients and LAN
Code:
/interface l2tp-server server
set enabled=yes
DHCP Pool and L2TP profile
Next, we will create a PPP profile which will be used when we create our users.
Here we select the IP used by the router as well as selecting a pool which we will also configure to give out the address to our dial-in VPN users. Be sure not to include the IP you the router (local IP) in the DHCP range which is created in the pool.
Code:
/ip pool
add name=dialin_pool1 ranges=192.168.7.100-192.168.7.199
/ppp profile
add bridge=<your-LAN-bridge> local-address=192.168.7.1 name=dialin remote-address="dialin_pool1"
Create user
'Secrets' is where we create our users. Here we will create the user and password as well as selecting our profile created earlier.
Code:
/ppp secret
add name=test password=test profile=dialin service=l2tp
IPsec peer and proposal
This is the IPsec part of the setup and the peer and proposal are configured here.
For the IPsec proposal, we can just use the default one, but if you are unsure, enter the command below:
Code:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
Code:
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override secret=<your-L2TP-Preshared-Key-here>
Firewall rules
Here we create the firewall rules to accept the L2P connection from our dial-in VPN users. In our example these connections are coming in over the PPPoE interface.
Code:
/ip firewall filter
add action=accept chain=input comment="L2TP accept ISAKMP/IKE" dst-port=500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="L2TP accept IPsec NAT Traversal" dst-port=4500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="L2TP accept L2TP" dst-port=1701 in-interface=pppoe-out1 protocol=udp
Connectivity between dial-in clients and LAN
The connection between dial-in VPN clients and the LAN can be done by either using proxy arp or by routing.
The connection between dial-in VPN clients and the LAN can be done by either using proxy arp or by routing.
- Routing
This does not require any configuration as the router will naturally route between connected subnets.
The only thing to remember here is to have a different subnet for the dial-in VPN clients to the LAN. - Proxy arp
Here we set proxy-arp on LAN Bridge.
The LAN and L2TP clients use the same subnet.
Code:
/interface bridge
add arp=proxy-arp name=bridge-dialin
/ip address
add address=192.168.7.1/24 interface=bridge-dialin network=192.168.7.0
This configuration can be used on top of your existing network without breaking or conflicting with your other config, so this is pretty safe to implement.