Here is an example of setting up a VPN IPSec / L2TP server on Mikrotik so that you can connect to it from Windows, MacBook, iPhone, etc.
1) Add a range of IP addresses for DHCP by opening “IP” – “Pool” and indicating:
Name: vpn_pool
Addresses: 192.168.5.1-192.168.5.15
Next pool: none
From the terminal like this:
ip pool add name=vpn_pool ranges=192.168.5.1-192.168.5.15
2) Add a profile to “PPP” – “Profiles”
Name: l2tp_profile
Local address: vpn_pool (you can specify default 192.168.88.1)
Remote address: vpn_pool
Change TCP MSS: yes
The rest is not touched and left in default
From the terminal like this:
ppp profile add change-tcp-mss=yes local-address=vpn_pool name=l2tp_profile remote-address=vpn_pool
3) Add a user to “PPP” – “Secrets”
Name: LOGIN
Password: PASSWORD
Service: l2tp
Profile: l2tp_profile
From the terminal like this:
ppp secret add name=LOGIN password=PASSWORD profile=l2tp_profile service=l2tp
4) Enable the server in “PPP” – “Interface” – “L2TP Server”
Enabled: yes
MTU/MRU: 1450
Keepalive Timeout: 30
Default profile: l2tp_profile
Authentication: mschap2
Use IPSec: yes
IPSec Secret: ENCRYPTION_KEY (also indicated in the clients)
From the terminal like this:
interface l2tp-server server set authentication=mschap2 default-profile=l2tp_profile enabled=yes ipsec-secret=KEY use-ipsec=yes
5) “IP” – “IPSec” – “Peers”
Address: 0.0.0.0/0
Port: 500
Auth method: pre shared key
Exchange mode: main l2tp
Passive: yes (set)
Secret: ENCRYPTION_KEY (also indicated in the clients)
Policy template group: default
Send Initial Contact: yes
NAT Traversal: yes
My ID Type: auto
Generate policy: port override
Lifitime: 1d 00:00:00
DPD Interval: 120
DPD Maximum failures: 5
Proposal check: obey
Hash algorithm: sha1
Encryption Algorithm: 3des aes-128 aes-256
DH Group: modp 1024
From the terminal like this:
ip ipsec peer add address=0.0.0.0/0 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=KEY
6) “IP” – “IPSec” – “Proposals”
Name: default
Auth algorithms: sha1
Enrc. algorithms: 3des, aes-256 cbc, aes-256 ctr
Life time: 00:30:00
PFS Group: mod 1024
From the terminal like this:
ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,3des
7) “Firewall” – “Add New”
Let’s add the first rule allowing incoming VPN connections:
Chain: Input
Protocol: udp
Any. Port: 1701,500,4500
Action: Accept
And the second:
Chain: Input
Protocol: ipsec-esp
Action: Accept
From the terminal like this:
ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500 ip firewall filter add chain=input action=accept protocol=ipsec-esp
The rules should be at the top of the list.
This completes the configuration, you can connect.
See also:
Configuring Remote Access in Mikrotik Router