Mikrotik VPN – L2TP/IPSec Server for Remote Clients (Windows/Android/iOS)

Mikrotik VPN – L2TP/IPSec Server for Remote Clients

If you’re looking for a quick guide for configuring a Mikrotik VPN Server, allowing remote clients to connect into your building controlled by a Mikrotik Router, you’ve come to the right place.

This guide was written for Mikrotik RouterOS v6.41  in September 2017. It presumes you have your main (edge) router as a Mikrotik device, and are NOT behind a double-NAT.

Single-Nat: Modem > Router > Devices.

Double-Nat: Modem > Router > Router > Devices. If your Mikrotik Router has a WAN IP in the ranges of: 192.168.X, 10.X, or 172.16.X, it’s a double-NAT.

 

Alrighty, let’s get started!

There are two parts of a L2TP Server:

  1. L2TP VPN Protocol – Creates the link between two locations
  2. IPSec Encryption – Secures and protects the link

Configure L2TP Server, under PPP (Point-to-Point Protocol)

PPP > Interface > L2TP Server
  Check "Enabled" to turn on the L2TP Server
  Default Profile: default
  Authentication: Check only "mschap2"
  Use IPsec: Yes
  IPsec Secret: YourPreSharedKey
  Caller ID Type: IP Address
  
PPP > Profiles > Default (Create your rules for users)
##If you have multiple bridges to separate your network, create a profile for each and specify the bridge, otherwise ignore.
  Local Address: IP of your local Mikrotik Router (e.g. 192.168.1.1 or 10.10.10.1)
  Remote Address: DHCP pool
  DNS Server: IP of your DNS server/router or 8.8.8.8 (Google DNS)
  
PPP > Secrets (Create your users)
  New (+)
  Name: Username
  Password: UsersPassword
  Profile: default

 

Configure IPSec Encryption

IP > IPsec > Peers
  New (+)
  Address: 0.0.0.0/0 (for allowing any internet IP to attempt to connect)
  Port: 500
  Auth Method: pre shared key
  Exchange Mode: main l2tp
  Secret: YourPreSharedKey (Must match the PSK from PPP > L2TP Server)
  Advanced Tab
    Policy Template Group: default
    Send Initial Contact: Enabled
    NAT Traversal: Enabled
    My ID type: auto
    Generate Policy: port override
    Proposal Check: obey
  Encryption Tab
    Hash Algorithm: sha1
    Encryption Algorithm: Check: 3des, aes-128
    DH Group: Check: modp1024
    
IP > IPSec > Proposals
  Edit Default
  Auth Algorithms: Check: sha1
  Encryption Algorithms: CVheck: 3des, aes-128 cbc
  PFS Group: modp1024

Configure Firewall

IP > Firewall > Filter Rules
  New (+)
  VPN Rule
    Chain: input
    Protocol: 17 (udp)
    Dst. Port: 500,1701,4500
    Action: Accept
  Move rule higher up in the list (above any WAN block rules)
  
IP > Firewall > NAT
  New (+)
  Chain: srcnat
  Out. Interface: bridge (Your internal network bridge)
  Action: Masquerade

 

Configure Client Connection

There are an infinite number of devices that can be configured. I’m going to configure the most common — A Windows 10 L2TP VPN Client, built into the Operating System.

 

Start > Network and Sharing Center
Setup a new connection or network > Connect to a workplace (VPN)
No > Create a new connection

Use my internet connection (VPN)
Internet Address: Your Routers WAN IP (e.g. vpn.company.com, or static IP (e.g. 96.200.200.75)
Destination Name: Your name for this connection
Remember my credentials: Checked


Go to Adapter Settings > Right-Click VPN Connection > Properties
Security > Type of VPN: L2TP/IPSec
Advanced Settings> Use Preshared Key for Authentication: Enter your Pre-Shared Key from the your L2TP IPsec Secret (under PPP > Interfaces > L2TP Server).
Allow these protocols: Check Only: Microsoft CHAP version 2


In Windows 10 - You have to manually re-enter the PSK and saved credentials in a separate menu....

Right-Click VPN Connection > Connect
Select in list > Advanced Option > Edit
VPN Type: L2TP/IPSec with Pre-Shared Key: Enter Pre-Shared Key
Type of Sign-in Info
Username (From PPP > Secrets)
Password (From PPP > Secrets)
Connect

 

You should now be connected to the internal LAN of your Mikrotik network. Attempt pinging devices by IP to confirm connectivity.

 

NETBIOS does not work through the VPN — but FQDNs do.

For example, server1 will not resolve.

Server1.domain.local will resolve

If you absolutely need to resolve by local name, create a WINS server, and assign its IP within the PPP Profile for the WINS Server field.

 

If you need help diagnosing your VPN connection:

System > Logging
New (+)
Create Three Topics: l2tp, ppp, and ipsec
Action: Memory

From here you will be able to see logs under "Log" and google your solution where something may need adjusting.

Leave a Reply

Your email address will not be published. Required fields are marked *