Setup MikroTik as L2TP/IPsec Dial-in VPN Server with all traffics are being routed

Andy

Administrator
Creative Team
User ID
1
Joined
7 Jan 2019
Messages
1,111
Reaction score
56
Points
48
Here we will be configuring a dial-in VPN using L2TP with IPsec.
Update 26/07/2019: If you're using RouterOS v6.44 or above, please click here for the new way of implementing L2TP/IPsec.

In this example, we will be using 192.168.7.0/24 for the L2TP clients and for the LAN.

The configuration will detail the following:
  • Enable L2TP server
  • Create a DHCP pool
  • Create an L2TP profile
  • Create a sample user
  • Configure IPsec Peer and Proposal
  • Create firewall input rule to accept the L2TP connections
  • Configure connectivity between dial-in-clients and LAN
Enable L2TP server
Code:
/interface l2tp-server server
set enabled=yes

DHCP Pool and L2TP profile
Next, we will create a PPP profile which will be used when we create our users.

Here we select the IP used by the router as well as selecting a pool which we will also configure to give out the address to our dial-in VPN users. Be sure not to include the IP you the router (local IP) in the DHCP range which is created in the pool.
Code:
/ip pool
add name=dialin_pool1 ranges=192.168.7.100-192.168.7.199

/ppp profile
add bridge=<your-LAN-bridge> local-address=192.168.7.1 name=dialin remote-address="dialin_pool1"

Create user
'Secrets' is where we create our users. Here we will create the user and password as well as selecting our profile created earlier.
Code:
/ppp secret
add name=test password=test profile=dialin service=l2tp

IPsec peer and proposal
This is the IPsec part of the setup and the peer and proposal are configured here.

For the IPsec proposal, we can just use the default one, but if you are unsure, enter the command below:
Code:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
Code:
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override secret=<your-L2TP-Preshared-Key-here>
Hint: by using port-override, the IPsec phase 2 will be automatically generated by the MikroTik router.

Firewall rules
Here we create the firewall rules to accept the L2P connection from our dial-in VPN users. In our example these connections are coming in over the PPPoE interface.
Code:
/ip firewall filter
add action=accept chain=input comment="L2TP accept ISAKMP/IKE" dst-port=500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="L2TP accept IPsec NAT Traversal" dst-port=4500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input comment="L2TP accept L2TP" dst-port=1701 in-interface=pppoe-out1 protocol=udp

Connectivity between dial-in clients and LAN

The connection between dial-in VPN clients and the LAN can be done by either using proxy arp or by routing.
  • Routing
    This does not require any configuration as the router will naturally route between connected subnets.
    The only thing to remember here is to have a different subnet for the dial-in VPN clients to the LAN.
  • Proxy arp
    Here we set proxy-arp on LAN Bridge.
    The LAN and L2TP clients use the same subnet.
Code:
/interface bridge
add arp=proxy-arp name=bridge-dialin

/ip address
add address=192.168.7.1/24 interface=bridge-dialin network=192.168.7.0
I tested this on my live office router (RouterOS v6.43.12), and it worked very well for me without having to do the last part :)
This configuration can be used on top of your existing network without breaking or conflicting with your other config, so this is pretty safe to implement.
 
Not working on v6.44.3...
This line is not valid...
/ip ipsec peer add address="0.0.0.0/0" exchange-mode="main-l2tp" generate-policy="port-override" secret=XXXXXXXXXXXXX
 
Not working on v6.44.3...
This line is not valid...
/ip ipsec peer add address="0.0.0.0/0" exchange-mode="main-l2tp" generate-policy="port-override" secret=XXXXXXXXXXXXX
Hi @vdias,

Upon reviewing the MikroTik changelog, I believe that was caused by the major changes that's implemented on the version v6.44

What's new in 6.44 (2019-Feb-25 14:11):

MAJOR CHANGES IN v6.44:
----------------------
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);
!) ipsec - added new "identity" menu with common peer distinguishers;
!) ipsec - removed "main-l2tp" exchange-mode, it is the same as "main" exchange-mode;
!) ipsec - removed "users" menu, XAuth user configuration is now handled by "identity" menu;
!) radius - initial implementation of RadSec (RADIUS communication over TLS);
!) speedtest - added "/tool speed-test" for ping latency, jitter, loss and TCP and UDP download, upload speed measurements (CLI only);
----------------------

I personally not on the MikroTik stable release tree, but I only use long-term release tree. Try to use this command instead and see if it works:
Code:
/ip ipsec peer add address="0.0.0.0/0" exchange-mode="main" generate-policy="port-override" secret=XXXXXXXXXXXXX

Cheers 🍻
 
[vdias@Router-Core] > /ip ipsec peer add address="0.0.0.0/0" exchange-mode="main"
comment copy-from disabled local-address name passive port profile send-initial-contact


No "secret" or "generate-policy" available...
 
Last edited:
[vdias@Router-Core] > /ip ipsec peer add address="0.0.0.0/0" exchange-mode="main"
comment copy-from disabled local-address name passive port profile send-initial-contact


No "secret" or "generate-policy" available...

Try to disable the "use-ipsec" option under L2TP server settings. Make sure you have only one static IPsec peer for 0.0.0.0/0 and exchange-mode=main. Assign multiple identities for this peer with different pre-shared-key secrets. Lastly, make sure only IPsec encrypted traffic is allowed for L2TP traffic.

You can't mix the "use-ipsec" option under L2TP settings with static IPsec configuration. The L2TP setting will take precedence over all static configuration. So you either go with the dynamic configuration or the static only.

On RouterOS v6.44 we configure the IPsec secret for L2TP in PPP -> L2TP Server 👍
Simply set Use IPsec to 'required' and fill in your IPsec secret there.

Have a look at the screenshot down below:
Screen Shot 2019-07-19 at 10.13.38 AM.png
 
What are the advantages of using MikroTik as a VPN server over other options?
Well, there are several advantages of using MikroTik as a VPN server over other options:
  • Cost-effective: MikroTik routers are known for their cost-effectiveness as they provide many features at a lower cost compared to other brands.
  • High performance: MikroTik routers are known for their high performance and can handle many VPN connections.
  • Flexibility: MikroTik routers support a variety of VPN protocols, such as PPTP, L2TP, OpenVPN, and WireGuard, which allows for more flexibility in terms of choosing the suitable protocol for your needs.
  • Easy to configure: In addition to Winbox, MikroTik routers have a user-friendly web interface that makes configuring a VPN server relatively easy, even for those with limited networking experience.
  • Scalability: MikroTik routers can be easily scaled to accommodate more users as your business grows.
  • Advanced Features: MikroTik routers support advanced features such as hotspot, hotspot gateway, hotspot billing, hotspot portal, hotspot user management, hotspot voucher, and hotspot walled garden.
  • Firewall: MikroTik RouterOS has a built-in firewall feature, which allows you to secure your VPN server and protect it from unauthorized access.
    Quality of Service: MikroTik RouterOS has a built-in Quality of Service (QoS) feature, which allows you to prioritize bandwidth for different types of traffic, such as VPN traffic, to ensure that your VPN users have a better experience.
 
Thanks for sharing this detailed guide on setting up a MikroTik as L2TP/IPsec Dial-in VPN server. This is a great resource for those looking to set up their own VPN server.

I have a few questions if you don't mind:
  • How do you handle security and authentication for the L2TP clients?
  • How does the configuration handle traffic routing for the L2TP clients?
 
Regarding security and authentication for L2TP clients using MikroTik, a few steps can be taken to ensure a secure connection. One option is configuring a username and password for each L2TP client, which can be done through the MikroTik RouterOS. Additionally, you can use the MikroTik Firewall to implement security measures such as access lists and connection limits to control which clients can connect to the L2TP server.

For traffic routing, the MikroTik RouterOS allows you to configure different routing options for L2TP clients. One option is to use the built-in MikroTik routing capabilities to route traffic based on IP address or subnet. Another option is to use a dynamic routing protocol such as OSPF or BGP to route traffic for L2TP clients dynamically. Additionally, you can also use the MikroTik RouterOS to configure policy-based routing, which allows you to define routing policies based on different criteria such as IP address, protocol, or interface.

It's important to note that the L2TP protocol is not considered a secure protocol. I'd recommend using it with other security protocols, such as IPsec to encrypt the data.
 
 Short URL:
Back
Top