Configuring the VPN IPSec / L2TP server on Mikrotik

Here is an example of setting up a VPN IPSec / L2TP server on Mikrotik so that you can connect to it from Windows, MacBook, iPhone, etc.

1) Add a range of IP addresses for DHCP by opening “IP” – “Pool” and indicating:
Name: vpn_pool
Addresses: 192.168.5.1-192.168.5.15
Next pool: none
From the terminal like this:

ip pool add name=vpn_pool ranges=192.168.5.1-192.168.5.15

2) Add a profile to “PPP” – “Profiles
Name: l2tp_profile
Local address: vpn_pool (you can specify default 192.168.88.1)
Remote address: vpn_pool
Change TCP MSS: yes
The rest is not touched and left in default
From the terminal like this:

ppp profile add change-tcp-mss=yes local-address=vpn_pool name=l2tp_profile remote-address=vpn_pool

3) Add a user to “PPP” – “Secrets
Name: LOGIN
Password: PASSWORD
Service: l2tp
Profile: l2tp_profile
From the terminal like this:

ppp secret add name=LOGIN password=PASSWORD profile=l2tp_profile service=l2tp

4) Enable the server in “PPP” – “Interface” – “L2TP Server
Enabled: yes
MTU/MRU: 1450
Keepalive Timeout: 30
Default profile: l2tp_profile
Authentication: mschap2
Use IPSec: yes
IPSec Secret: ENCRYPTION_KEY (also indicated in the clients)
From the terminal like this:

interface l2tp-server server set authentication=mschap2 default-profile=l2tp_profile enabled=yes ipsec-secret=KEY use-ipsec=yes

5)IP” – “IPSec” – “Peers
Address: 0.0.0.0/0
Port: 500
Auth method: pre shared key
Exchange mode: main l2tp
Passive: yes (set)
Secret: ENCRYPTION_KEY (also indicated in the clients)
Policy template group: default
Send Initial Contact: yes
NAT Traversal: yes
My ID Type: auto
Generate policy: port override
Lifitime: 1d 00:00:00
DPD Interval: 120
DPD Maximum failures: 5
Proposal check: obey
Hash algorithm: sha1
Encryption Algorithm: 3des aes-128 aes-256
DH Group: modp 1024
From the terminal like this:

ip ipsec peer add address=0.0.0.0/0 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=KEY

6)IP” – “IPSec” – “Proposals”
Name: default
Auth algorithms: sha1
Enrc. algorithms: 3des, aes-256 cbc, aes-256 ctr
Life time: 00:30:00
PFS Group: mod 1024
From the terminal like this:

ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,3des

7)Firewall” – “Add New
Let’s add the first rule allowing incoming VPN connections:
Chain: Input
Protocol: udp
Any. Port: 1701,500,4500
Action: Accept
And the second:
Chain: Input
Protocol: ipsec-esp
Action: Accept
From the terminal like this:

ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
ip firewall filter add chain=input action=accept protocol=ipsec-esp

The rules should be at the top of the list.

This completes the configuration, you can connect.

See also:
Configuring Remote Access in Mikrotik Router

Leave a comment

Leave a Reply