Mikrotik L2TP / IPsec VPN Server Step by Step configuration

In the future, using the website cloudhosting.lv, you agree to the rules of using Cookies. Read more. I agree

Mikrotik L2TP / IPsec VPN Server Step by Step configuration

This guide assumes that the Mikrotik WAN interface has a public IP address and that your ISP does not block ipsec ports. With this out of the way, let's get started. The first step is to create a PPP profile on Mikrotik. We will use for the local address (VPN gateway), assuming that it is not yet in use. We also need to add a DNS server.

/ppp profile add name=ipsec_vpn local-address= dns-server=

Then we add the server interface of the l2tp server and set the authentication methods allowed, mschap1 and mschap2.

/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2

Next, we need to define IPSec peering, as well as the default IPsec policy. We will also establish the secret of the pre-key in the process.

/ip ipsec policy set [ find default=yes ] src-address= dst-address= protocol=all proposal=default template=yes

For Router OS 6.39 and lower use

/ip ipsec peer add address= port=500 auth-method=pre-shared-key secret="STRONG_SECRET_HERE" exchange-mode=main-l2tp send-initial-contact=no  generate-policy=port-override

For Router OS 6.44 and higher use :

/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver

/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret="STRONG_SECRET_HERE" peer=l2tpserver

Next we set the default encryption algorithms

/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024

Now we add the user and assign an IP address

/ppp secret add name="USERNAME" password="STRONG PASSWORD" service=l2tp profile=ipsec_vpn remote-address=

Finally we need to open the IPSec ports from the WAN

/ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
/ip firewall filter add chain=input action=accept protocol=ipsec-esp

Note that these two rules must be added at the top of the list before any other rules to allow connections from the WAN interface. Either use the "move" command using the CLI to move them to the top of the list, or use the GUI.