Mikrotik L2TP IPSec VPN Guide – Start to Finish Appliance
There are a small number of L2TP IPSec VPN guides, I found them pretty frustrating, and often conflicting when integrating into an existing network. This guide provides full configuration steps for a Mikrotik L2TP/IPSec VPN appliance. It does not have to be the primary router. VPN clients are integrated into their own network/bridge, and from there, can connect in to the primary LAN.
Update the Router Operating System
- System > Packages > Check for Updates > Current > Download and Install
Disable Beeping Sounds on Boot
- System > Routerboard > Settings > Silent Book: Checked > OK
After reboot, upgrade the Router Firmware
- System > Routerboard > Upgrade
- System > Reboot > OK
Now Reset the router to defaults
- System > Reset Configuration > OK
Disable the DHCP server
- IP > DHCP Server > Select > X (Disable)
Set an identity
- System > Identity > COMPANY-VPN
Add a static IP to bridge.
- IP > Addresses > + (Add) > IP/subnetmask (e.g. 192.168.100.1/24)
Add ETH2 to bridge
- Bridge > port > + (Add) > ether2-master > bridge
Create two NAT rules (if not already present), a NAT for Internet Access from the LAN, and a NAT for LAN access from the VPN clients.
- IP > Firewall > NAT > + (Add) > Chain:srcnat > Out Interface: Ether1 (WAN Port) > Action: Masquerade
- IP > Firewall > NAT > + (Add) > Chain: srcnat > Out. Interface: bridge (LAN bridge) > Action: Masquerade
Disable Unused Services
By default a Mikrotik comes with all services enabled
Disable the services you don’t use.
- IP > Services > Disable all except for Winbox (TCP 8291)
- IP > Firewall > Service Ports > Disable ALL
- Tools > RoMon > Disabled
- IP > Settings > RP-Filter=strict (Prevents IP Spoofing)
Change the Mikrotik’s password to administer the device
- System > Password > Select a new password
Disable Winbox Discovery on WAN / Reverse Path Filtering
- IP > Neighbors > Discovery Interfaces > Ether1: Disabled
VPN Settings Config
If you need to connect say, 10+ people via VPN, you might not want to use up IPs in the standard LAN range, gobbling up IPs from your DHCP server, in which case, you should create a separate subnet for VPN users, that is able to communicate with the internal LAN.
To do this, there are four things to modify:
- Create a bridge — it does not need to be linked to any interface by port.
- Bridge > + (Add) > Name: vpn-bridge.
- Assign an IP Address to the VPN Bridge.
- IP > Addresses > + (Add) > 192.168.200.1/24
- Create a NAT rule if not already present — this let’s VPN clients talk to the network
- IP > Firewall > NAT > + (Add) > Out-Interface: bridge-vpn > Action: Masquerade.
- Enable a DHCP server on the VPN Bridge
- IP > DHCP Server > Edit the DHCP entry > Interface: vpn-bridge.
- IP > DHCP Server > Networks
- Network: 192.168.200.0/24 — Your VPN Bridge LAN
- Gateway: 192.168.200.1 — Your VPN Bridge LAN IP Address
- DNS Servers: IP of Domain Controller/DNS Server + 192.168.200.1 (VPN Bridge)
- Domain: your FQDN (company.local, etc).
- IP > Pool > Adjust IP range to match DHCP Server.
- E.g. 192.168.200.100-192.168.200.200
Create User Accounts
- PPP > Secrets > + (Add)
- Name: username
- Password: password
- Service: any
- PPP > Profiles > Edit “default”
- Local Address: IP of Mikrotik
- Remote Address: default-dhcp (IP pool)
- Bridge: vpn-bridge
- DNS Server(s): IP(s) of DNS servers in the building, usually a Domain Controller.
- Limits – Rate-Limit — Optional — if you want to rate-limit per-client.
- XXM/YYM, where XX is download and YY is upload in Mbps. (10M/5M)
L2TP VPN Bare Minimum Firewall Rules
IP > Firewall > Delete all rules possible.
Paste all rules below into New Terminal
- /ip firewall filter add chain=input action=accept comment=”VPN L2TP UDP” in-interface=ether1 protocol=udp dst-port=500,1701,4500
- /ip firewall filter add chain=input action=accept comment=”VPN L2TP ESP” protocol=ipsec-esp
- /ip firewall filter add chain=input action=accept comment=”VPN L2TP AH” protocol=ipsec-ah
Public Router Security Rules
- /ip firewall filter add action=drop chain=input comment=”Drop Blacklisted Hosts to Router” in-interface=ether1 src-address-list=BlackList
- /ip firewall filter add action=drop chain=forward comment=”Drop Blacklisted Hosts through Router” in-interface=ether1 src-address-list=BlackList
- /ip firewall filter add chain=input comment=”Accept Established / Related Input” connection-state=established,related
- /ip firewall filter add chain=forward comment=”Accept Established / Related Forward” connection-state=established,related
- /ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment=”Detect Port Scanners” dst-port=21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=ether1 protocol=tcp
- /ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment=”Detect UDP WAN DNS Lookups to prevent DDoS” dst-port=53 in-interface=ether1 protocol=udp
- /ip firewall filter add action=accept chain=input comment=”Accept ICMP/Ping” protocol=icmp
- /ip firewall filter add action=drop chain=input comment=”Drop Input” in-interface=ether1
L2TP Server Enable
- IP > IPsec > Peers
- New (+)
- Address: 0.0.0.0/0 (for allowing any internet IP to attempt to connect)
- Auth Method: pre shared key
- Exchange Mode: main l2tp
- Secret: “SharedSecret” (Must match the PSK from PPP > L2TP Server)
- Advanced Tab
- Policy Template Group: default
- Send Initial Contact: Enabled
- NAT Traversal: Enabled
- My ID type: auto
- Generate Policy: port strict
- Proposal Check: obey
- Encryption Tab
- Hash Algorithm: sha1, sha256
- Encryption Algorithm: Check: aes-128, aes-192, aes-256
- DH Group: Check: modp1024
- New (+)
- IP > IPsec > Proposals: Default
- Auth Algorithms: sha1, sha256
- Encr Algorithms: aes-128 cbc, aes-192 cbc, aes-256 cbc
- PFS Group: modp1024
Allow VPN to Local Routing
- Interface > ether2 (LAN port) > ARP > Change from “Enabled” to “Proxy-Arp”
L2TP Server Config
- PPP > Interface > L2TP Server
- Enabled: Yes
- Use IPsec: Yes
- Default Profile: Change from “Default-encryption” to “default”
- Authentication: MSCHAP2 ONLY
- IPsec Secret: “SharedSecret” (match what was in the IPsec Peer)
Now you can connect from a Windows or Mac client.
Note about DNS lookups
If you try performing a NETBIOS broadcast, for example: “ping server01”, it will time out.
NETBIOS broadcast does not work through the VPN — but FQDNs do.
For example, server01 will not resolve.
Server01.domain.local will resolve
If you need to connect to an internal terminal server but don’t want to use an IP for hostname, you should create an A record on the internal DNS server to match, this would help internal clients resolve directly as well. E.g. remote.company.com on their DNS server.
Additional Steps – Run once
New Terminal Button, copy/paste
#Set the device to reboot every month at 4AM, can’t hurt 🙂
/system scheduler add interval=30d name=”Reboot Router Monthly” on-event=”/system reboot” start-date=jan/01/1970 start-time=4:00:00
#Set the clock time zone
/system clock set time-zone-name=America/Los_Angeles
#Set the time servers
/system ntp client set enabled=yes primary-ntp=126.96.36.199 secondary-ntp=188.8.131.52 server-dns-names=time1.google.com,time2.google.com
Multiple Clients — Same Source IP Problem
This is an issue for ANY L2TP VPN appliance, not just Mikrotik gear. The L2TP protocol always initiated connections on the same port, UDP1701. Carried inside of the header is an identifier — usually including the source IP address of the connecting client. If you have a single computer connecting, no issues. If you have a second computer in the same network (e.g. two laptops at a hotel trying to VPN in), the most recent connection will kick off the previous, pre-established connection.
As a note, there is an optional setting in the L2TP VPN protocol, that using a Strict Port setting, allows clients to select a different UDP port once a connection is established, rather than being hard-coded to UDP1701. In practice, it works on Macs/Linux, and does not work on Windows clients. I’ve had 5x OSX devices connect from the same source IP without issue. I’ve had 1x Windows, and 5x OSX devices connect without issue. The moment you have a second Windows L2TP client attempt to connection, the previous connection will be kicked.
What’s the fix if you’ve got a lot of Windows clients sharing the same Source IP? — use different source IPs (cell-phone hotspot), or configure an IKEv2 VPN Server, rather than a L2TP VPN Server. I am currently writing a detailed IKEv2 Mikrotik VPN guide at the moment.
- System > Logging
- New (+)
- Create Three Topics: l2tp, ppp, and ipsec
- Action: Memory
- From here you will be able to see logs under “Log” and google your solution where something may need adjusting.
- For Windows 10, make sure you enter the preshared key twice — once when creating the VPN connection, and then editing the connection after Windows had made it — it isn’t saved automatically.
Windows error for no client saved pre-shared key: “The L2TP Connection failed because the security layer encountered a processing error during initial negotiations.
Mikrotik error for no client saved pre-shared key. Log: “no peer config” or “failed to get valid proposal” or “failed to pre-process ph1”
- For MacOS
Make sure you configure “tunnel all” mode in advanced under System Preferences > Networking when adding a L2TP IPSec connection. Without tunnel all, you will only be able to ping the gateway (192.168.200.1), rather than other devices in the network.