Setting Up L2TP/IPsec VPN on MikroTik Print

Welcome back, everyone! I’m Corels from Emmanuel Corels Creatives. Today, we’re going to explore a highly practical and secure way to allow remote access to your network: setting up an L2TP/IPsec VPN on your MikroTik router. In this guide, I’ll explain every step in detail—from certificate settings and PPP profiles to firewall adjustments—so that even if you’re new to MikroTik, you’ll feel confident setting up this powerful VPN solution.

Why L2TP/IPsec VPN?

L2TP (Layer 2 Tunneling Protocol) paired with IPsec (Internet Protocol Security) combines ease of setup with robust security. Here’s why you might choose it:

• Enhanced Security: IPsec encrypts your traffic using strong cryptographic algorithms.
• Wide Compatibility: It’s supported on most operating systems—Windows, macOS, Linux, iOS, and Android.
• Ease of Configuration: Compared to some alternatives, L2TP/IPsec is relatively straightforward to configure on MikroTik.

Note: While PPTP is simpler, L2TP/IPsec offers significantly better security. For critical environments, this is the recommended choice.

Step 1: Prerequisites

Before you begin, ensure the following:

• Your MikroTik router is running a recent version of RouterOS (v6 or v7) that supports L2TP/IPsec.
• You have administrative access via WinBox or the terminal.
• You’re connected to your router’s LAN and have basic connectivity.
• It’s a good idea to back up your current configuration:

  /system backup save name=pre-l2tp-backup
  

Step 2: Configure IPsec Settings

L2TP/IPsec relies on IPsec for encryption. Here’s how to set it up:

1. Access IPsec Settings:
   In WinBox, navigate to IP → IPsec → Peers. We’ll add a new peer for VPN connections.

2. Create an IPsec Peer:

   • Address: You can leave this blank for dynamic clients, or specify a remote IP if needed.
   • Exchange Mode: Set to ike2 (modern and secure).
   • Secret: Enter a shared secret that will be used between the server and the clients (e.g., MyStrongIPsecSecret!).
   • Comment: Optionally, add “L2TP/IPsec VPN Peer” for clarity.
   • Click OK.

CLI Example:

/ip ipsec peer add address=0.0.0.0/0 exchange-mode=ike2 secret=MyStrongIPsecSecret! comment="L2TP/IPsec VPN Peer"

Explanation:
The shared secret is critical—it’s used to authenticate the IPsec tunnel. Choose a strong, unique password. The address=0.0.0.0/0 setting means the router will accept IPsec negotiations from any IP, which is typical for VPN servers.

Step 3: Configure L2TP Server

Now, enable the L2TP server, which will establish the tunnel and handle client connections.

1. Enable the L2TP Server:
   Go to PPP → Interfaces, then click on the L2TP Server button.

2. L2TP Server Settings:

   • Enabled: Check the box to enable it.
   • Default Profile: Leave as default or create a custom PPP profile later.
   • Use IPsec: Check this box to enforce IPsec encryption.
   • IPsec Secret: Enter the same shared secret you used earlier (e.g., MyStrongIPsecSecret!).
   • Authentication: Typically, L2TP uses PPP authentication, so you’ll use user accounts (we’ll create these next).

3. Click OK.

CLI Equivalent:

/interface l2tp-server server set enabled=yes use-ipsec=yes ipsec-secret=MyStrongIPsecSecret!

Explanation:
Enabling IPsec on the L2TP server ensures that every L2TP connection is encrypted. The shared secret must match what you configured in the IPsec peer settings.

Step 4: Create a PPP Profile for VPN Clients

A PPP profile sets the parameters for VPN sessions—like the IP address range and DNS settings for connected clients.

1. Go to PPP → Profiles and click “+”.
2. Name: Enter a name, for example, L2TP_Profile.
3. Local Address: Set the IP address for the VPN server within the VPN subnet (e.g., 10.10.10.1).
4. Remote Address: Specify an IP pool for VPN clients (e.g., create a pool 10.10.10.2-10.10.10.254).
5. DNS Server: Optionally, enter preferred DNS servers (e.g., 8.8.8.8,8.8.4.4).
6. Click OK.

CLI Example:

/ppp profile add name=L2TP_Profile local-address=10.10.10.1 remote-address=10.10.10.2-10.10.10.254 dns-server=8.8.8.8,8.8.4.4

Explanation:
This profile defines the IP addressing for the VPN. The local-address acts as the gateway for VPN clients, while remote-address is the pool from which clients receive their IPs.

Step 5: Add PPP Secrets (User Accounts)

Each VPN client needs a unique username and password to authenticate.

1. Go to PPP → Secrets and click “+”.
2. Name: Enter a username, e.g., vpnuser.
3. Password: Choose a strong password, e.g., StrongVPNPass!.
4. Service: Select l2tp.
5. Profile: Choose the profile you created (L2TP_Profile).
6. Click OK.

CLI Example:

/ppp secret add name=vpnuser password=StrongVPNPass! service=l2tp profile=L2TP_Profile

Explanation:
These credentials are used by clients to connect securely to your VPN. Make sure they’re strong and unique to prevent unauthorized access.

Step 6: Adjust Firewall Rules

Ensure that your firewall permits VPN connections, especially IPsec and L2TP traffic.

1. Allow UDP Ports:
   L2TP/IPsec typically uses UDP ports 500 (for IKE), 4500 (for NAT-T), and 1701 (for L2TP if needed).

   In IP → Firewall → Filter Rules, add rules like:

   /ip firewall filter add chain=input protocol=udp dst-port=500,4500 action=accept comment="Allow IPsec and L2TP"
   

2. Allow Established Connections:
   Make sure rules allow established/related traffic:

   /ip firewall filter add chain=input connection-state=established,related action=accept comment="Allow established"
   

3. Drop Unwanted Traffic:
   Optionally, add a default drop rule at the end of the input chain:

   /ip firewall filter add chain=input action=drop comment="Default drop"
   

Explanation:
These rules ensure that your VPN traffic isn’t blocked by the firewall. The specific ports are crucial for establishing IPsec tunnels and L2TP sessions.

Step 7: Testing the VPN

Once everything is set up, test your VPN connection:

1. Connect from a Client Device:
   On your device (Windows, macOS, etc.), create a new VPN connection using L2TP/IPsec. Enter:

   • Server Address: Your public IP or DDNS hostname.
   • Username: vpnuser
   • Password: StrongVPNPass!
   • IPsec Pre-Shared Key: MyStrongIPsecSecret!

2. Verify Connection:
   After connecting, check that your client receives an IP from the VPN pool (e.g., 10.10.10.x). Test connectivity by pinging the VPN gateway (10.10.10.1) and accessing resources on your network.

3. Check Router Logs and Active Connections:
   In WinBox, go to PPP → Active Connections to see your VPN session. Use /log print to review any error messages.

Troubleshooting Tips:

• If the VPN doesn’t connect, double-check that your shared secret is consistent across the IPsec peer, L2TP server, and client configuration.
• Ensure that your WAN connection is active and that firewall rules allow UDP traffic on ports 500 and 4500.
• Verify that your PPP profile’s IP pool isn’t exhausted.

Final Thoughts

Setting up an L2TP/IPsec VPN on your MikroTik router provides a secure and flexible solution for remote access. We’ve covered everything—from IPsec peer settings and L2TP server configuration to PPP profiles, user accounts, and essential firewall rules. While the process may seem detailed, each step builds upon the previous one, ensuring that your VPN is both secure and reliable.

Take your time experimenting with these settings in a test environment, and once you’re confident, roll it out in production. As always, if you have any questions or run into issues, feel free to reach out. Happy VPN-ing, and here’s to secure remote connectivity!

Explained with detailed clarity by
Corels – Admin, Emmanuel Corels Creatives