Setup MikroTik as L2TP/IPSec VPN Server

[Andy]

This is a brief guide on how to implement an L2TP/IPSec VPN server on Mikrotik RouterOS and use it as a gateway.

Update 26/07/2019: If you're using RouterOS v6.44 or above, please click here for the new way of implementing L2TP/IPsec.

Change these to fit your setup:

• This router’s local IP address: 172.31.1.1/20
• WAN connection is PPPoE with the name ether1-GTW.
  If you use PPPoE, use the name of your PPPoE connection. If you use static configuration or DHCP client as WAN, use the name of that interface.
• Pool name for VPN clients is vpn-pool and gives addresses 172.31.2.1-172.31.2.9
• VPN profile: vpn-profile
• VPN username: remoteuser
• VPN password: yourpassword
• L2TP secret: yourl2tpsecret

Remember that it’s always a good practice to use a strong password and secret.
Let’s create a pool of addresses that VPN clients will get once connected:

/ip pool add name=vpn-pool ranges=172.31.2.1-172.31.2.9

Then create a VPN profile that will determine the IP addresses of the
router, VPN clients, and DNS server. You can set it to be outside of
the local subnet, but make sure that your firewall allows the
connection:

/ppp profile add change-tcp-mss=yes local-address=172.31.1.1 name=vpn-profile remote-address=vpn-pool dns-server=172.31.1.1 use-encryption=yes

We can now create VPN users:

/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any

Configure IPSec settings, i.e. encryption standards, L2TP secret, who can connect, NAT traversal:

/ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des

Now that everything is in place, we can simply enable the VPN server and choose the right profile:

/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes

If you have a firewall rule that blocks all traffic, you can add these additional rules to allow L2TP/IPSec to pass through the WAN
interface:

/ip firewall filter
add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=ether1-GTW protocol=udp dst-port=500
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=ether1-GTW protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=ether1-GTW protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=ether1-GTW protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=ether1-GTW protocol=ipsec-ah

[Optional Configurations]
To use MikroTik VPN Server as Gateway so the VPN clients will have MikroTik’s public IP, you can simply masquerade:

/ip firewall nat add chain=srcnat out-interface=ether1-GTW action=masquerade

Allow DNS Remote Requests:

/ip dns set allow-remote-requests=yes

I tested this on Amazon Elastic Compute Cloud (EC2), using t2.micro instance and it worked perfectly fine for me.

I hope this guide works for you, feel free to post any questions or comments down below.

–––

I have created a simpler configuration for a similar purpose with all traffic being routed, click here to go to the new thread.

 

[pravyroxor]

Hi Andy, my setup of L2TP IPSec tunnel is very similar to your's, but I'm unable to reach the computers in LAN subnet. My VPN pool is in different subnet as LAN network. VPN connection is established, but I can only ping router's IP.

/ip pool
add comment=VPN name=l2tp-pool ranges=172.19.190.200,172.19.190.250
/ip address
add address=172.19.187.3/24 comment=defconf interface=bridge network=\172.19.187.0
/ppp profile
add change-tcp-mss=yes dns-server=172.19.187.3,172.19.187.10 local-address=\
    172.19.187.3 name=l2tp-ipsec remote-address=l2tp-pool
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=l2tp-ipsec enabled=yes \
    ipsec-secret=xxxxxx use-ipsec=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024
/interface bridge
add admin-mac=xxxxxx arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge

Where should be the problem ? If I set up IP address in the same LAN subnet for the remote user as local LAN network, I can ping and connect to all IPs. My LAN subnet is almost full, so I would like to separate the VPN pool segment into different subnet.

 

[Andy]

Hi @pravyroxor: Your VPN IP pool needs to be on the same network with your LAN IP. If you really need to use different network, you will need to configure a NAT between two network so they can talk with each other

 

[pravyroxor]

Yeah, you're right ! I have solved the problem by adding this firewall filters and NAT rules:
Now it works like a charm.

/ip firewall filter
add action=accept chain=input comment="L2TP VPN" dst-port=500,1701,4500 \
    in-interface=ether1-wan protocol=udp src-port=""
add action=accept chain=input in-interface=ether1-wan protocol=ipsec-esp
add action=accept chain=input in-interface=ether1-wan protocol=ipsec-ah
add action=accept chain=forward dst-address=172.19.190.0/24 src-address=\
    172.19.187.0/24
add action=accept chain=forward dst-address=172.19.187.0/24 src-address=\
    172.19.190.0/24
# DROP internet over VPN
add action=drop chain=forward comment="VPN drop outside bridge" in-interface=\
    all-ppp out-interface=!bridge
/ip firewall nat
add action=masquerade chain=srcnat dst-address=172.19.190.0/24 src-address=\
    172.19.187.0/24
add action=masquerade chain=srcnat dst-address=172.19.187.0/24 src-address=\
    172.19.190.0/24

 

[Andy]

Cool bananas! We're glad that your issue has now been fixed. If you have anything else, let us know. We'd happy to help!

 

[kahn]

Cool bananas! We're glad that your issue has now been fixed. If you have anything else, let us know. We'd happy to help!

Dear Andy,
Thanks a bunch for this article as I have tried so many tutorials but nothing worked for me. I am using MT RB750 with RouterOS 6.39 installed,
I am successfully connected to my MT router through VPN with the help of your article but what I do not know what I have done wrong that as soon as my connection vpn established, my client internet connectivity stopped, I can ping the remote resources like server and workstations but I can not open the shares as the error occurs when I try to do so,
kindly let me know about the resolution as what I want is whenever I connect vpn, I can browse the shares on the remote network and my internet should be my local (client side) internet as I do not want the public IP of remote vpn server of mine because there is not very good internet speed.

Thanks in advance

 

[Andy]

Dear Andy,
Thanks a bunch for this article as I have tried so many tutorials but nothing worked for me. I am using MT RB750 with RouterOS 6.39 installed,
I am successfully connected to my MT router through VPN with the help of your article but what I do not know what I have done wrong that as soon as my connection vpn established, my client internet connectivity stopped, I can ping the remote resources like server and workstations but I can not open the shares as the error occurs when I try to do so,
kindly let me know about the resolution as what I want is whenever I connect vpn, I can browse the shares on the remote network and my internet should be my local (client side) internet as I do not want the public IP of remote vpn server of mine because there is not very good internet speed.

Thanks in advance

Hi @kahn,

When you try to open your Windows share, what error message are you getting? Can you post a screenshot here about the error window dialogue so I can have a better understanding of what's wrong? Also, have you tried disabling the Windows Firewall?

Cheers

 

[kahn]

Hi @kahn,

When you try to open your Windows share, what error message are you getting? Can you post a screenshot here about the error window dialogue so I can have a better understanding of what's wrong? Also, have you tried disabling the Windows Firewall?

Cheers

Thanks for your quick reply,
I am getting no errors when trying to open the resources while connected to local network but with vpn I have no luck,
firewall is all allowed and kindly let me know the internet issue thing I have described in my first reply, I would be very thankful to you.

Regards

 

[Andy]

Thanks for your quick reply,
I am getting no errors when trying to open the resources while connected to local network but with vpn I have no luck,
firewall is all allowed and kindly let me know the internet issue thing I have described in my first reply, I would be very thankful to you.

Regards

Hi @kahn,

Try checking on your Event Viewer; there must be an error number logged by the system
We can't just guess what's the error, otherwise, we'll just wasting time investigating nothing

Cheers

 

[kahn]

Hi @kahn,

Try checking on your Event Viewer; there must be an error number logged by the system
We can't just guess what's the error, otherwise, we'll just wasting time investigating nothing

Cheers

Dear Andy,
Thanks for your reply, the problem has been resolved as I was having port 445 blocked in my filter rules and by disabling that rule all the shares are opening, but now what I am facing is I dial-out from one mikrotik RB750 to another and both firewalls are at different locations. Connection is established but the computers which are behind mikrotik L2TP vpn client can not access the resources/shares behind mikrotik L2TP vpn Server.
Any help would be highly appreciated.
Regards,

 

[kahn]

Dear Andy,
Thanks for your reply, the problem has been resolved as I was having port 445 blocked in my filter rules and by disabling that rule all the shares are opening, but now what I am facing is I dial-out from one mikrotik RB750 to another and both firewalls are at different locations. Connection is established but the computers which are behind mikrotik L2TP vpn client can not access the resources/shares behind mikrotik L2TP vpn Server.
Any help would be highly appreciated.
Regards,

Dear Andy,

I have resolved the issue by adding IP route.
Thanks

 

[Andy]

Hi @kahn, thanks for letting me know. I'm glad now it works for you! Cheers