How to configure Mikrotik L2TP Server over IPSec

This article shows you how to configure Mikrotik L2TP server over IPSec.

With the release of macOS 10.12 Sierra and iOS 10, Apple has removed PPTP client on these operating systems for security reasons. So if you previously are using PPTP client to connect to your LAN office, you will not be able to do it anymore on macOS 10.12 and iOS 10.

However, do not worry, fortunately there is a better solution using L2TP over IPSec which offers more secure connection than PPTP. This article shows you how to configure Mikrotik as an L2TP server. With this L2TP server configured you can later connect your Mac, iPhone, Android, Windows, or Linux as the L2TP clients.

Lets move forward to the configuration

In this sample configuration, I use Mikrotik CCR running RouterOS version 6.23. Use Winbox to connect to the Mikrotik router remotely.

Assign IP address for VPN network

I use IP address 172.30.19.0/28. Of course you can assign the IP address as you want.

mikrotik-l2tp-server-setting-ip

/ip address
add address=172.30.19.1/28 interface=vlan-19-Access-VPN network=172.30.19.0

Enable L2TP Server

By default, the L2TP server is disable you have to enable it manually as below

mikrotik-l2tp-server-enable

/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=1234567890 use-ipsec=yes

Change the ‘ipsec-secret’ with yours.

Create IP Pool

Users who connect to the VPN server need to be assigned with IP addresses. Although you can statically assign IP address for users one by one, but it is more effective to assign it dynamically using IP Pool. This IP pool will be dynamically assigned to the connected users.

mikrotik-l2tp-server-ip-pool

/ip pool
add name=vpn-pool ranges=172.30.19.2-172.30.19.14

Create PPP Profile

To make it easy in the IP address assignment, create PPP profile for connected users.

mikrotik-l2tp-server-profile

/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=172.30.19.1 name=vpn-profile \
    remote-address=vpn-pool use-encryption=yes

Create PPP account for each users

Users have to be assigned with username and password to be able to connect to the L2TP server

mikrotik-l2tp-server-secret

/ppp secret
add name=fuad password=yourpassword profile=vpn-profile

Create IPSec Peer

This is what make it different with PPTP server. In L2TP over IPSec we have to create an IPSec peer as below:

mikrotik-l2tp-server-ipsec-peer

/ip ipsec peer
add dpd-maximum-failures=2 enc-algorithm=3des,aes-128,aes-256 exchange-mode=main-l2tp \
    generate-policy=port-override local-address=172.30.19.1 secret=1234567890

With the configuration above, the Mikrotik should be ready to accept L2TP request from clients. Hopefully this post is helpful for you who are looking for L2TP configuration on Mikrotik.

  • Zaki Fuadi

    I have test it with RB CCR 6.37, 100% work fine
    Thanks.

    • Hi Zaki, thanks for stopping by. Glad to hear that it works :)

  • cactuscraig

    will this work with multiple clients behind same NAT?

  • jose lopez

    it does not work

    • How did you test it? I have tested it working with OSX Elcapitan, macOS Sierra, Windows 10, iOS 10, Android M/N.

      • Neezar Rakhman

        ANDROID didnt work