Setup MikroTik as L2TP/IPSec VPN Server


This is a brief guide on how to implement an L2TP/IPSec VPN server on Mikrotik RouterOS and use it as a gateway.
Update 26/07/2019: If you're using RouterOS v6.44 or above, please click here for the new way of implementing L2TP/IPsec.
Change these to fit your setup:
  • This router’s local IP address:
  • WAN connection is PPPoE with the name ether1-GTW.
    If you use PPPoE, use the name of your PPPoE connection. If you use static configuration or DHCP client as WAN, use the name of that interface.
  • Pool name for VPN clients is vpn-pool and gives addresses
  • VPN profile: vpn-profile
  • VPN username: remoteuser
  • VPN password: yourpassword
  • L2TP secret: yourl2tpsecret
Remember that it’s always a good practice to use a strong password and secret.
Let’s create a pool of addresses that VPN clients will get once connected:

/ip pool add name=vpn-pool ranges=

Then create a VPN profile that will determine the IP addresses of the
router, VPN clients, and DNS server. You can set it to be outside of
the local subnet, but make sure that your firewall allows the

/ppp profile add change-tcp-mss=yes local-address= name=vpn-profile remote-address=vpn-pool dns-server= use-encryption=yes

We can now create VPN users:

/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any

Configure IPSec settings, i.e. encryption standards, L2TP secret, who can connect, NAT traversal:

/ip ipsec peer add address= exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des

Now that everything is in place, we can simply enable the VPN server and choose the right profile:

/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes

If you have a firewall rule that blocks all traffic, you can add these additional rules to allow L2TP/IPSec to pass through the WAN

/ip firewall filter
add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=ether1-GTW protocol=udp dst-port=500
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=ether1-GTW protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=ether1-GTW protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=ether1-GTW protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=ether1-GTW protocol=ipsec-ah

[Optional Configurations]
To use MikroTik VPN Server as Gateway so the VPN clients will have MikroTik’s public IP, you can simply masquerade:

/ip firewall nat add chain=srcnat out-interface=ether1-GTW action=masquerade

Allow DNS Remote Requests:

/ip dns set allow-remote-requests=yes

I tested this on Amazon Elastic Compute Cloud (EC2), using t2.micro instance and it worked perfectly fine for me.

I hope this guide works for you, feel free to post any questions or comments down below.


I have created a simpler configuration for a similar purpose with all traffic being routed, click here to go to the new thread.


New member
Hi Andy, my setup of L2TP IPSec tunnel is very similar to your's, but I'm unable to reach the computers in LAN subnet. My VPN pool is in different subnet as LAN network. VPN connection is established, but I can only ping router's IP.
/ip pool
add comment=VPN name=l2tp-pool ranges=,
/ip address
add address= comment=defconf interface=bridge network=\
/ppp profile
add change-tcp-mss=yes dns-server=, local-address=\ name=l2tp-ipsec remote-address=l2tp-pool
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=l2tp-ipsec enabled=yes \
    ipsec-secret=xxxxxx use-ipsec=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024
/interface bridge
add admin-mac=xxxxxx arp=proxy-arp auto-mac=no comment=defconf \
Where should be the problem ? If I set up IP address in the same LAN subnet for the remote user as local LAN network, I can ping and connect to all IPs. My LAN subnet is almost full, so I would like to separate the VPN pool segment into different subnet.


Hi @pravyroxor: Your VPN IP pool needs to be on the same network with your LAN IP. If you really need to use different network, you will need to configure a NAT between two network so they can talk with each other 🤝


New member
Yeah, you're right ! I have solved the problem by adding this firewall filters and NAT rules:
Now it works like a charm.
/ip firewall filter
add action=accept chain=input comment="L2TP VPN" dst-port=500,1701,4500 \
    in-interface=ether1-wan protocol=udp src-port=""
add action=accept chain=input in-interface=ether1-wan protocol=ipsec-esp
add action=accept chain=input in-interface=ether1-wan protocol=ipsec-ah
add action=accept chain=forward dst-address= src-address=\
add action=accept chain=forward dst-address= src-address=\
# DROP internet over VPN
add action=drop chain=forward comment="VPN drop outside bridge" in-interface=\
    all-ppp out-interface=!bridge
/ip firewall nat
add action=masquerade chain=srcnat dst-address= src-address=\
add action=masquerade chain=srcnat dst-address= src-address=\


Cool bananas! We're glad that your issue has now been fixed. If you have anything else, let us know. We'd happy to help! 👍