In the future, using the website cloudhosting.lv, you agree to the rules of using Cookies. Read more. I agree
Mikrotik L2TP / IPsec VPN Server Step by Step configuration
This guide assumes that the Mikrotik WAN interface has a public IP address and that your ISP does not block ipsec ports. With this out of the way, let's get started. The first step is to create a PPP profile on Mikrotik. We will use 192.168.102.1 for the local address (VPN gateway), assuming that it is not yet in use. We also need to add a DNS server.
/ppp profile add name=ipsec_vpn local-address=192.168.102.1 dns-server=1.1.1.1
Then we add the server interface of the l2tp server and set the authentication methods allowed, mschap1 and mschap2.
/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2
Next, we need to define IPSec peering, as well as the default IPsec policy. We will also establish the secret of the pre-key in the process.
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yesFor Router OS 6.39 and lower use
/ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="STRONG_SECRET_HERE" exchange-mode=main-l2tp send-initial-contact=no generate-policy=port-override
For Router OS 6.44 and higher use :
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver /ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret="STRONG_SECRET_HERE" peer=l2tpserver
Next we set the default encryption algorithms
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024
Now we add the user and assign an IP address
/ppp secret add name="USERNAME" password="STRONG PASSWORD" service=l2tp profile=ipsec_vpn remote-address=192.168.102.2
Finally we need to open the IPSec ports from the WAN
/ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500 /ip firewall filter add chain=input action=accept protocol=ipsec-esp
Note that these two rules must be added at the top of the list before any other rules to allow connections from the WAN interface. Either use the "move" command using the CLI to move them to the top of the list, or use the GUI.