Basic L2TP/IPsec server configuration on a MikroTik device.

Basic L2TP/IPsec server configuration on a MikroTik device.

In the current example we will show how easy it is to setup and configure an L2TP/IPsec server on a MikroTik router with default configuration (RouterOS 6.16 or later) for use with roadwarrior connection (works with Windows, Android an IOS) using winbox interface.
First step – turn on L2TP server:
Go to “PPP > Interface” section of winbox, press on “L2TP Server” button – a new “L2TP Server” configuration window will open:

Tick the “Enabled” setting, in the “Default Profile” section select “default”. In the “Use IPsec” choose “required”. In the “IPsec Secret” field enter and take note of your unique password – It will be required for your VPN clients, everything else left at default values. Press OK, close all windows.

Next step – defining your VPN client IP address range, gateway and VPN client profiles for each user. Note that your VPN IP address range must be different from other services that are used on the device ( for example DHCP)
Go to “IP > Pool” section, click on the blue plus sign in the new window – another window will open.

In the “Name” field input any name you want for your range, take note of it. In the “Addresses” field define your necessary IP address range (don’t forget to leave out one address for the gateway). Press ok, close all current windows.

Now open “PPP” section, go to “Profiles” tab and double click on “default” profile. In the newly opened window in the “Local Address” field click on the down arrow on the right and enter your VPN gateway address. In the “Remote Address” field choose the VPN range name that we made earlier. Press OK.

In the same “PPP” window go to “Secrets” tab, click on the blue plus sign – a new window will appear where we define individual VPN user profile.

In the “Name” field enter your VPN client username, in “Password” field we enter our user’s password.

Last step – making sure that our router has necessary ports open to accept incoming IPsec connections. Go to “IP > Firewall”, in the “Filter Rules” click on a blue plus sign again, a new window will appear.

n the new window enter settings as seen in the image (In the “Dst. Port” field numbers are separated by comma), press ok.

Repeat the last step, but this time with different settings as seen in the image below, press OK.

Our new settings should now appear at the bottom of the list in the “Filter Rules” tab, select and drag them below our first filter rule like seen in the image.

Congratulations, your router is now ready to accept L2TP/IPsec connection using your IPsec secret and earlier defined client username and password.

Useful links::
1.  Information and examples of different L2TP network configurations and their use (eng.).
2. A detailed theory and description of all settings related to the IPsec protocol, as well as examples of their application in practice, a description of the capabilities and support of devices of this protocol and answers to frequently asked questions (eng.).