L2TP VPN on MikroTik

There are better documentations with more details on how to create an L2TP VPN via IPsec for Mikrotik, this one is mostly for my own notes.

/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=XXX keepalive-timeout=60 max-sessions=10 use-ipsec=required

/ppp profile
add change-tcp-mss=yes dns-server=10.1.1.1 local-address=10.1.1.1 name=VPN-encryption only-one=no remote-address=dhcp-10.1.1.0

/ppp secret
add name=user1 password=YYY profile=VPN-encryption service=l2tp

/ip ipsec identity
add generate-policy=port-override peer=L2TP-peer remote-id=ignore secret=XXX

/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

/ip firewall filter
add action=accept chain=input comment=L2TP connection-state="" dst-port=1701,500,4500 in-interface=eth1-GW limit=20,5:packet log=yes log-prefix=L2TP protocol=udp
add action=accept chain=input comment=L2TP connection-state="" in-interface=eth1-GW log=yes log-prefix=L2TP protocol=ipsec-esp

In case you are using the same subnet on VPN and local and you want to be able to connect to local hosts you have to enable proxy-arp:

/interface bridge
add admin-mac=C1:AE:34:55:A3:B1 arp=proxy-arp auto-mac=no name=bridge-LAN

2021.Oct.9. Update

I just found this video how to configure an L2TP VPN and a client with a few clicks using Winbox, it can be easily adapted to Webconfig. You’ll still need the firewall part.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.