This article shows you how to configure Mikrotik L2TP server over IPSec.
With the release of macOS 10.12 Sierra and iOS 10, Apple has removed PPTP client on these operating systems for security reasons. So if you previously are using PPTP client to connect to your LAN office, you will not be able to do it anymore on macOS 10.12 and iOS 10.
However, do not worry, fortunately there is a better solution using L2TP over IPSec which offers more secure connection than PPTP. This article shows you how to configure Mikrotik as an L2TP server. With this L2TP server configured you can later connect your Mac, iPhone, Android, Windows, or Linux as the L2TP clients.
Lets move forward to the configuration
In this sample configuration, I use Mikrotik CCR running RouterOS version 6.23. Use Winbox to connect to the Mikrotik router remotely.
Assign IP address for VPN network
I use IP address 172.30.19.0/28. Of course you can assign the IP address as you want.
/ip address add address=172.30.19.1/28 interface=vlan-19-Access-VPN network=172.30.19.0
Enable L2TP Server
By default, the L2TP server is disable you have to enable it manually as below
/interface l2tp-server server set default-profile=default enabled=yes
Create IP Pool
Users who connect to the VPN server need to be assigned with IP addresses. Although you can statically assign IP address for users one by one, but it is more effective to assign it dynamically using IP Pool. This IP pool will be dynamically assigned to the connected users.
/ip pool add name=vpn-pool ranges=172.30.19.2-172.30.19.14
Create PPP Profile
To make it easy in the IP address assignment, create PPP profile for connected users.
/ppp profile add dns-server=8.8.8.8,8.8.4.4 local-address=172.30.19.1 name=vpn-profile \ remote-address=vpn-pool use-encryption=yes
Create PPP account for each users
Users have to be assigned with username and password to be able to connect to the L2TP server
/ppp secret add name=fuad password=yourpassword profile=vpn-profile
Create IPSec Peer
This is what make it different with PPTP server. In L2TP over IPSec we have to create an IPSec peer as below:
/ip ipsec peer add dpd-maximum-failures=2 enc-algorithm=3des,aes-128,aes-256 exchange-mode=main-l2tp \ generate-policy=port-override local-address=172.30.19.1 secret=1234567890
With the configuration above, the Mikrotik should be ready to accept L2TP request from clients. Hopefully this post is helpful for you who are looking for L2TP configuration on Mikrotik.
Why did you create that vlan ? It’s useless and also in IPsec peer local address set the same as in ppp profile also pointless. Just set on ppp profile
Is the vlan interface attached to ether1? And when you connect, you put in 172.30.19.1 or you put in the WAN of the router?
Since it is a vlan, you can attach it to any etherX you have as long as it is active but it is better to set it in the LAN interface.
I have test it with RB CCR 6.37, 100% work fine
Thanks.
Hi Zaki, thanks for stopping by. Glad to hear that it works :)
will this work with multiple clients behind same NAT?
Yes, it will.
it does not work
How did you test it? I have tested it working with OSX Elcapitan, macOS Sierra, Windows 10, iOS 10, Android M/N.
ANDROID didnt work