Mikrotik L2TP IPsec Dedicated VPN Appliance Setup

Mikrotik L2TP IPSec VPN Guide – Start to Finish Appliance

There are a small number of L2TP IPSec VPN guides, I found them pretty frustrating, and often conflicting when integrating into an existing network. This guide provides full configuration steps for a Mikrotik L2TP/IPSec VPN appliance. It does not have to be the primary router. VPN clients are integrated into their own network/bridge, and from there, can connect in to the primary LAN.

First Steps

Update the Router Operating System

  • System > Packages > Check for Updates > Current > Download and Install

Disable Beeping Sounds on Boot

  • System > Routerboard > Settings > Silent Book: Checked > OK

After reboot, upgrade the Router Firmware

  • System > Routerboard > Upgrade
  • System > Reboot > OK

Now Reset the router to defaults

  • System > Reset Configuration > OK

Disable the DHCP server

  • IP > DHCP Server > Select > X (Disable)

 

Set an identity

  • System > Identity > COMPANY-VPN

Add a static IP to bridge.

  • IP > Addresses > + (Add) > IP/subnetmask (e.g. 192.168.100.1/24)

Add ETH2 to bridge

  • Bridge > port > + (Add) > ether2-master > bridge

Create two NAT rules (if not already present), a NAT for Internet Access from the LAN, and a NAT for LAN access from the VPN clients.

  • IP > Firewall > NAT > + (Add) > Chain:srcnat > Out Interface: Ether1 (WAN Port) > Action: Masquerade
  • IP > Firewall >  NAT > + (Add) > Chain: srcnat > Out. Interface: bridge (LAN bridge) > Action: Masquerade

 

Security Hardening

Disable Unused Services

By default a Mikrotik comes with all services enabled

Disable the services you don’t use.

  • IP > Services > Disable all except for Winbox (TCP 8291)
  • IP > Firewall > Service Ports > Disable ALL
  • Tools > RoMon > Disabled
  • IP > Settings > RP-Filter=strict (Prevents IP Spoofing)

Configure Password

Change the Mikrotik’s password to administer the device

  • System > Password > Select a new password

Disable Winbox Discovery on WAN / Reverse Path Filtering

  • IP > Neighbors > Discovery Interfaces > Ether1: Disabled

 

VPN Settings Config

VPN Subnet

If you need to connect say, 10+ people via VPN, you might not want to use up IPs in the standard LAN range, gobbling up IPs from your DHCP server, in which case, you should create a separate subnet for VPN users, that is able to communicate with the internal LAN.

To do this, there are four things to modify:

  1. Create a bridge — it does not need to be linked to any interface by port.
    1. Bridge > + (Add) > Name: vpn-bridge.
  2. Assign an IP Address to the VPN Bridge.
    1. IP > Addresses > + (Add) > 192.168.200.1/24
  3. Create a NAT rule if not already present — this let’s VPN clients talk to the network
    1. IP > Firewall > NAT > + (Add) > Out-Interface: bridge-vpn > Action: Masquerade.
  4. Enable a DHCP server on the VPN Bridge
    1. IP > DHCP Server > Edit the DHCP entry > Interface: vpn-bridge.
    2. IP > DHCP Server > Networks
      1. Network: 192.168.200.0/24 — Your VPN Bridge LAN
      2. Gateway: 192.168.200.1 — Your VPN Bridge LAN IP Address
      3. DNS Servers:  IP of Domain Controller/DNS Server + 192.168.200.1 (VPN Bridge)
      4. Domain: your FQDN (company.local, etc).
      5. IP > Pool > Adjust IP range to match DHCP Server.
        1. E.g. 192.168.200.100-192.168.200.200

Create User Accounts

  • PPP > Secrets > + (Add)
    • Name: username
    • Password: password
    • Service: any
    • Profile:default

VPN Policy

  • PPP > Profiles > Edit “default”
    • General
      • Local Address: IP of Mikrotik
      • Remote Address: default-dhcp (IP pool)
      • Bridge: vpn-bridge
      • DNS Server(s): IP(s) of DNS servers in the building, usually a Domain Controller.
    • Limits – Rate-Limit — Optional — if you want to rate-limit per-client.
      • XXM/YYM, where XX is download and YY is upload in Mbps. (10M/5M)

L2TP VPN Bare Minimum Firewall Rules

IP > Firewall > Delete all rules possible.

Paste all rules below into New Terminal

VPN Rules

  • /ip firewall filter add chain=input action=accept comment=”VPN L2TP UDP” in-interface=ether1 protocol=udp dst-port=500,1701,4500
  • /ip firewall filter add chain=input action=accept comment=”VPN L2TP ESP” protocol=ipsec-esp
  • /ip firewall filter add chain=input action=accept comment=”VPN L2TP AH” protocol=ipsec-ah

Public Router Security Rules

  • /ip firewall filter add action=drop chain=input comment=”Drop Blacklisted Hosts to Router” in-interface=ether1 src-address-list=BlackList
  • /ip firewall filter add action=drop chain=forward comment=”Drop Blacklisted Hosts through Router” in-interface=ether1 src-address-list=BlackList
  • /ip firewall filter add chain=input comment=”Accept Established / Related Input” connection-state=established,related
  • /ip firewall filter add chain=forward comment=”Accept Established / Related Forward” connection-state=established,related
  • /ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment=”Detect Port Scanners” dst-port=21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=ether1 protocol=tcp
  • /ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment=”Detect UDP WAN DNS Lookups to prevent DDoS” dst-port=53 in-interface=ether1 protocol=udp
  • /ip firewall filter add action=accept chain=input comment=”Accept ICMP/Ping” protocol=icmp
  • /ip firewall filter add action=drop chain=input comment=”Drop Input” in-interface=ether1

L2TP Server Enable

  • IP > IPsec > Peers
    • New (+)
      • Address: 0.0.0.0/0 (for allowing any internet IP to attempt to connect)
      • Auth Method: pre shared key
      • Exchange Mode: main l2tp
      • Secret: “SharedSecret” (Must match the PSK from PPP > L2TP Server)
    • Advanced Tab
      • Policy Template Group: default
      • Send Initial Contact: Enabled
      • NAT Traversal: Enabled
      • My ID type: auto
      • Generate Policy: port strict
      • Proposal Check: obey
    • Encryption Tab
      • Hash Algorithm: sha1, sha256
      • Encryption Algorithm: Check: aes-128, aes-192, aes-256
      • DH Group: Check: modp1024
  • IP > IPsec > Proposals: Default
      • Auth Algorithms: sha1, sha256
      • Encr Algorithms: aes-128 cbc, aes-192 cbc, aes-256 cbc
      • PFS Group: modp1024

Allow VPN to Local Routing

  • Interface > ether2 (LAN port) > ARP > Change from “Enabled” to “Proxy-Arp”

L2TP Server Config

  • PPP > Interface > L2TP Server
    • Enabled: Yes
    • Use IPsec: Yes
    • Default Profile: Change from “Default-encryption” to “default”
    • Authentication: MSCHAP2 ONLY
    • IPsec Secret: “SharedSecret” (match what was in the IPsec Peer)

Now you can connect from a Windows or Mac client.

Note about DNS lookups

If you try performing a NETBIOS broadcast, for example: “ping server01”, it will time out.

NETBIOS broadcast does not work through the VPN — but FQDNs do.

For example, server01 will not resolve.

Server01.domain.local will resolve

If you need to connect to an internal terminal server but don’t want to use an IP for hostname, you should create an A record on the internal DNS server to match, this would help internal clients resolve directly as well. E.g. remote.company.com on their DNS server.

Additional Steps – Run once

New Terminal Button, copy/paste

#Set the device to reboot every month at 4AM, can’t hurt 🙂

/system scheduler add interval=30d name=”Reboot Router Monthly” on-event=”/system reboot” start-date=jan/01/1970 start-time=4:00:00

#Set the clock time zone

/system clock set time-zone-name=America/Los_Angeles

#Set the time servers

/system ntp client set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4 server-dns-names=time1.google.com,time2.google.com

 

Multiple Clients — Same Source IP Problem

This is an issue for ANY L2TP VPN appliance, not just Mikrotik gear. The L2TP protocol always initiated connections on the same port, UDP1701. Carried inside of the header is an identifier — usually including the source IP address of the connecting client. If you have a single computer connecting, no issues. If you have a second computer in the same network (e.g. two laptops at a hotel trying to VPN in), the most recent connection will kick off the previous, pre-established connection.

As a note, there is an optional setting in the L2TP VPN protocol, that using a Strict Port setting, allows clients to select a different UDP port once a connection is established, rather than being hard-coded to UDP1701. In practice, it works on Macs/Linux, and does not work on Windows clients. I’ve had 5x OSX devices connect from the same source IP without issue. I’ve had 1x Windows, and 5x OSX devices connect without issue. The moment you have a second Windows L2TP client attempt to connection, the previous connection will be kicked.

What’s the fix if you’ve got a lot of Windows clients sharing the same Source IP? — use different source IPs (cell-phone hotspot), or configure an IKEv2 VPN Server, rather than a L2TP VPN Server. I am currently writing a detailed IKEv2 Mikrotik VPN guide at the moment.

Troubleshooting

  • System > Logging
    • New (+)
    • Create Three Topics: l2tp, ppp, and ipsec
    • Action: Memory
    • From here you will be able to see logs under “Log” and google your solution where something may need adjusting.
  • For Windows 10, make sure you enter the preshared key twice — once when creating the VPN connection, and then editing the connection after Windows had made it — it isn’t saved automatically.

Windows error for no client saved pre-shared key: “The L2TP Connection failed because the security layer encountered a processing error during initial negotiations.

Mikrotik error for no client saved pre-shared key. Log: “no peer config” or “failed to get valid proposal” or “failed to pre-process ph1”

 

  • For MacOS

Make sure you configure “tunnel all” mode in advanced under System Preferences > Networking when adding a L2TP IPSec connection. Without tunnel all, you will only be able to ping the gateway (192.168.200.1), rather than other devices in the network.

2 thoughts on “Mikrotik L2TP IPsec Dedicated VPN Appliance Setup

  1. You should enalbe “RP filter” too:
    /ip settings set rp-filter=strict

    That will do nice job for IP-spoofing, and it takes less CPU to run and is easier to setup than making the same things in classic ‘/ip firewall filter’ rules.

Leave a Reply

Your email address will not be published. Required fields are marked *