Setup MikroTik as L2TP/IPSec VPN Server

Andy

Administrator
This is a brief guide on how to implement an L2TP/IPSec VPN server on Mikrotik RouterOS and use it as a gateway.
Change these to fit your setup:
  • This router’s local IP address: 172.31.1.1/20
  • WAN connection is PPPoE with the name ether1-GTW.
    If you use PPPoE, use the name of your PPPoE connection. If you use static configuration or DHCP client as WAN, use the name of that interface.
  • Pool name for VPN clients is vpn-pool and gives addresses 172.31.2.1-172.31.2.9
  • VPN profile: vpn-profile
  • VPN username: remoteuser
  • VPN password: yourpassword
  • L2TP secret: yourl2tpsecret
Remember that it’s always a good practice to use a strong password and secret.
Let’s create a pool of addresses that VPN clients will get once connected:

/ip pool add name=vpn-pool ranges=172.31.2.1-172.31.2.9

Then create a VPN profile that will determine the IP addresses of the
router, VPN clients, and DNS server. You can set it to be outside of
the local subnet, but make sure that your firewall allows the
connection:

/ppp profile add change-tcp-mss=yes local-address=172.31.1.1 name=vpn-profile remote-address=vpn-pool dns-server=172.31.1.1 use-encryption=yes

We can now create VPN users:

/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any

Configure IPSec settings, i.e. encryption standards, L2TP secret, who can connect, NAT traversal:

/ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des


Now that everything is in place, we can simply enable the VPN server and choose the right profile:

/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes

If you have a firewall rule that blocks all traffic, you can add these additional rules to allow L2TP/IPSec to pass through the WAN
interface:

/ip firewall filter
add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=ether1-GTW protocol=udp dst-port=500
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=ether1-GTW protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=ether1-GTW protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=ether1-GTW protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=ether1-GTW protocol=ipsec-ah


[Optional Configurations]
To use MikroTik VPN Server as Gateway so the VPN clients will have MikroTik’s public IP, you can simply masquerade:

/ip firewall nat add chain=srcnat out-interface=ether1-GTW action=masquerade

Allow DNS Remote Requests:

/ip dns set allow-remote-requests=yes

I tested this on Amazon Elastic Compute Cloud (EC2), using t2.micro instance and it worked perfectly fine for me.

I hope this guide works for you, feel free to post any questions or comments down below.

–––

I have created a simpler configuration for a similar purpose with all traffic being routed, click here to go to the new thread.
 

pravyroxor

New member
Hi Andy, my setup of L2TP IPSec tunnel is very similar to your's, but I'm unable to reach the computers in LAN subnet. My VPN pool is in different subnet as LAN network. VPN connection is established, but I can only ping router's IP.
/ip pool
add comment=VPN name=l2tp-pool ranges=172.19.190.200,172.19.190.250
/ip address
add address=172.19.187.3/24 comment=defconf interface=bridge network=\172.19.187.0
/ppp profile
add change-tcp-mss=yes dns-server=172.19.187.3,172.19.187.10 local-address=\
172.19.187.3 name=l2tp-ipsec remote-address=l2tp-pool
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=l2tp-ipsec enabled=yes \
ipsec-secret=xxxxxx use-ipsec=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024
/interface bridge
add admin-mac=xxxxxx arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
Where should be the problem ? If I set up IP address in the same LAN subnet for the remote user as local LAN network, I can ping and connect to all IPs. My LAN subnet is almost full, so I would like to separate the VPN pool segment into different subnet.
 
Top