How to Configure L2TP/IPSec VPN Server on MikroTik

L2TP/IPsec VPN is a remote access VPN that combines L2TP (Layer 2 Tunneling Protocol) for tunneling with IPsec (Internet Protocol Security) for encryption and authentication. It provides a secure connection between remote users and a private network over the internet.

Why use L2TP/IPsec?

  • Strong security: IPsec provides robust encryption and authentication, making it a secure choice for protecting data in transit.
  • Cross-platform compatibility: Natively supported by Windows, macOS, Linux, Android, and iOS, eliminating the need for third-party VPN clients in most cases.
  • Easy deployment: Built-in client support simplifies configuration and management across multiple devices.
  • Wide interoperability: Works well in mixed environments with different operating systems and devices.

Limitations

  • Lower performance: The combination of L2TP encapsulation and IPsec encryption introduces additional overhead, which can reduce throughput and increase latency compared to newer VPN protocols.
  • NAT traversal complexity: Requires specific ports (UDP 500, UDP 4500, and UDP 1701), which may be blocked or require additional configuration on firewalls and NAT devices.
  • More complex configuration: Certificate management, pre-shared keys, and firewall rules can make deployment more challenging than modern VPN solutions.
  • Not as efficient as modern protocols: Protocols such as WireGuard generally offer better performance, simpler configuration, and a smaller codebase while maintaining strong security.
  • Can be easier to detect or block: Since L2TP/IPsec uses well-known ports, restrictive networks may identify and block VPN traffic more easily than protocols designed to better traverse network restrictions.


How to Configure MikroTik as L2TP/VPN Server

  1. Configure IPSec Proposal
    Login to the MikroTik router. Configure the IPSec proposal, simply update the settings on the default proposal based on your requirement (auth algorithm, encryption algorith, etc).
    Finish by click Apply > OK




  2. Configure PPP profile.

    Go to PPP > Profiles
    The simple way, we can modify the default-encryption profile, otherwise we can create an individual profile for L2TP VPN.

    For now, I just edit default-encryption profile and set the following parameters
    Local address: address that visible by L2TP client
    DNS server: DNS server that will be used by the L2TP client

    Additional:
    Remote Addres: this is optional as we can staticly set the remote address for each L2TP VPN user.
    This field can also be using IP pool.




  3. Enable L2TP VPN interface
    Go to PPP > Interface > L2TP Server > General. 
    Click enabled, protocol, Use IPsec = yes, IPSec secret = set based on your requirement.
    Finish it by click Apply > OK


  4. Create L2TP user.

    Still on the same window, click Secrets tab, click Add (+)

    Name: username of the new user
    Password: the user password
    Service: l2tp
    Profile: default-encryption
    Local address: IP address that will be visible by L2TP client
    Remote address: IP address received by L2TP client
    Routes: subnet/network that need to be seen from the L2TP client



  5. Additional settings
    1. The following ports need to be allowed on the firewall to make sure L2TP/IPSec VPN works

    L2TP ports: UDP 1701 (default)
    ISAKMP: UDP 500
    NAT Transversal: UDP 4500
    Chain: Input
    Action: accept

    2. Add the subnet used for L2TP to Firewall > NAT, this will ensure L2TP client can access internet while connected to the VPN.



    At this point, client can test to connect to the VPN server. Client need to know the following information
  • (Public) IP address or domain of the MikroTik router in this case 192.168.247.128
  • PPP username and Password (step 4)
  • Preshared key (IPSec secret key on step 3)

Post a Comment for "How to Configure L2TP/IPSec VPN Server on MikroTik"