Mikrotik L2TP / IPsec VPN Server Step by Step configuration with Fasttrack enabled!

This tutorial assumes that the WAN interface of the Mikrotik router has a public IP address, and that your ISP does not block ipsec ports. With that out of the way, lets get started.

The first step is to create a PPP Profile on the mikrotik. We will use a for the local address (the VPN Gateway), assuming this is not already in use. We also need to add a DNS Server

/ppp profile add name=ipsec_vpn local-address= dns-server=

Next we add an l2tp-server server interface and set the allowed authentication methods, mschap1 and mschap2.

/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2

Next, we need to define the peering of IPSec and also the default IPsec policy. We will also set the pre-shared-key secret in the process.

/ip ipsec policy set [ find default=yes ] src-address= dst-address= protocol=all proposal=default template=yes 

For Router OS 6.39 and lower use

/ip ipsec peer add address= port=500 auth-method=pre-shared-key secret="STRONG_SECRET_HERE" exchange-mode=main-l2tp send-initial-contact=no  generate-policy=port-override

For Router OS 6.44 and higher use :

/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver

/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret="STRONG_SECRET_HERE" peer=l2tpserver

Next we set the default encryption algorthims

/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024

Now we add a user and allocate an IP Address

/ppp secret add name="USERNAME" password="STRONG PASSWORD" service=l2tp profile=ipsec_vpn remote-address=

Finally we need to open the IPSec ports from the WAN

/ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
/ip firewall filter add chain=input action=accept protocol=ipsec-esp

Note that these two rules need to be added to the top of the list, before any other rules in order to allow connections from the WAN interface. Either use the “move” command via the CLI to move them to the top of the list or use the GUI. The final result should look something like this :

Fasttrack configuration with L2TP Server / Client

I have moved this section to its own post, since this part is relevant to other scenarios too. You may read the full post here

4 comments On Mikrotik L2TP / IPsec VPN Server Step by Step configuration with Fasttrack enabled!

  • I have recently set up this configuration and had a lot of trouble with the details. Your simple explanation looks very good. I do have one question. What do you mean by the phrase I have made bold in “We will use a for the local address (the VPN Gateway), ASSUMING THIS IS NOT ALREADY IN USE.” The address I used for the “local address” was the LAN-side address of the router (which is also the default gateway address for internal devices on the network). So, it is definitely “IN USE”. Am I missing something?
    Again, thank you for your instructions here!

    • Hi Kenny,

      You need to use a different address, one which is not in use, for your ppp profile. I have used If this happens to be your default gateway already then use something like or another IP Address (for your ppp profile). Hope that clears it up.


  • Works like a charme ! Thanks for posting.
    One comment.
    I tried a bit more secure credentials cause sha1 and 3DES are not so secure anymore.
    Surprisingly the most common SHA256 and AES256CBC with PFS group 14 (2048) did not work.
    If you use it in native IPsec this works.
    Do you know why this did not work with L2TP in Windows 10 and only the old fashined SHA1, 3DES and PFS 1024 ?

    • Although I cannot be sure, I believe this has to do with the windows L2TP Client. I vaguely recall having the same issue using Windows XP with a Cisco router back in the day, I will try to find some time and test it out in a windows vm and report back my findings. 🙂

Leave a reply:

Your email address will not be published.