Mikrotik L2TP / IPsec VPN Server Step by Step configuration with Fasttrack enabled!

This tutorial assumes that the WAN interface of the Mikrotik router has a public IP address, and that your ISP does not block ipsec ports. With that out of the way, lets get started.

The first step is to create a PPP Profile on the mikrotik. We will use a 192.168.102.1 for the local address (the VPN Gateway), assuming this is not already in use. We also need to add a DNS Server

/ppp profile add name=ipsec_vpn local-address=192.168.102.1 dns-server=1.1.1.1

Next we add an l2tp-server server interface and set the allowed authentication methods, mschap1 and mschap2.

/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2

Next, we need to define the peering of IPSec and also the default IPsec policy. We will also set the pre-shared-key secret in the process.

/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 

For Router OS 6.39 and lower use

/ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="STRONG_SECRET_HERE" exchange-mode=main-l2tp send-initial-contact=no  generate-policy=port-override

For Router OS 6.44 and higher use :

/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver


/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret="STRONG_SECRET_HERE" peer=l2tpserver

Next we set the default encryption algorthims

/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024

Now we add a user and allocate an IP Address

/ppp secret add name="USERNAME" password="STRONG PASSWORD" service=l2tp profile=ipsec_vpn remote-address=192.168.102.2

Finally we need to open the IPSec ports from the WAN

/ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
/ip firewall filter add chain=input action=accept protocol=ipsec-esp

Note that these two rules need to be added to the top of the list, before any other rules in order to allow connections from the WAN interface. Either use the “move” command via the CLI to move them to the top of the list or use the GUI. The final result should look something like this :

Fasttrack configuration with L2TP Server / Client

I have moved this section to its own post, since this part is relevant to other scenarios too. You may read the full post here

Leave a reply:

Your email address will not be published.