a clear configuration L2TP server on a Mikrotik router

pcunite · January 26, 2019, 9:23pm

Here is how to do it for iOS and Windows 10. Note, that the Windows 10 profile needs to be created via command line to get AES256 support. I don’t have experience with Android, but generally speaking, if you can’t connect you’ll need to use hash-algorithm=sha1 and other less secure methods (not recommended).

##################################################
# Minimal settings for L2TP/IPSec VPN
# Works with iOS 11 and Windows 10
# 
# Windows 10 creation requirements
# Add-VpnConnection -Name "MyVPN" -ServerAddress 1.2.3.4 -TunnelType "L2tp"
# Set-VpnConnectionIPsecConfiguration -ConnectionName "MyVPN" -EncryptionMethod AES256 -CipherTransformConstants AES256 -IntegrityCheckMethod SHA256 -PfsGroup ECP256 -DHGroup ECP256 -AuthenticationTransformConstants SHA196 -PassThru -Force
#
##################################################

# Server settings
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes use-ipsec=required ipsec-secret="PasswordSecret"

# Create an username tied to a specific interface
/interface l2tp-server
add name=L2TP1 user=uservpn

# User password
/ppp secret
add name=uservpn password="PasswordUser" service=l2tp

# Give them an IP address from the LAN pool
/ppp profile
set default local-address=192.168.0.1 remote-address=pool_LAN use-encryption=required

# Phase1 IPsec behaviour, Windows 7 requires hash-algorithm=sha1
/ip ipsec peer profile
set [ find default=yes ] dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256

# added automatically when l2tp-server server is enabled=yes
#/ip ipsec peer
#add local-address=PublicIP exchange-mode=main-l2tp generate-policy=port-strict passive=yes secret="PasswordSecret" comment=Phase1

# Phase2 IPsec Settings
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=ecp256

# configure the rest of the router
/interface list
add name=LAN
add name=WAN

/interface list member
add interface=bridge_LAN 	list=LAN
add interface=L2TP1 		list=LAN
add interface=ether1 		list=WAN

# add these to your firewall rules
/ip firewall filter
add chain=input protocol=udp port=1701,500,4500 comment=L2TP_IPSEC
add chain=input protocol=ipsec-esp
add chain=forward action=accept connection-state=new in-interface-list=LAN comment="Allow LAN"

/interface
set bridge_LAN arp=proxy-arp

# optional
/system logging
add topics=ipsec,!packet