Hi all,

I am trying to configure L2TP/IPsec connectivity from internet to my mirkotik router.

Current setup is:

internet <==> router ( 192.168.1.0/24) <==> mikrotik (192.168.1.10, 192168.88.0/24)

When I am connected to 192.168.1.0 network, I can connect to VPN. When trying to connect from external hotspot, I cannot.

Router is configured to forward port 500, 1701, 4500 to IP mikrotik on mikrotik’s WAN; mikrotik firewall setup is below.

I had to explicitly enable protocols ipsec-ah and ipsec-esp on mikrotik. Should I forward some other ports from router to mirkotik?

Thanks

Andrea M

[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=“”

2 ;;; L2TP over IPsec VPN
chain=input action=accept protocol=udp dst-port=500,4500,1701 log=no log-prefix=“”

3 chain=input action=accept protocol=ipsec-ah log=no log-prefix=“”

4 chain=input action=accept protocol=ipsec-esp log=no log-prefix=“”

[…]

9 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=“”

10 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=“”

11 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=“”

[…]

13 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=“”

14 ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix=“” ipsec-policy=in,ipsec

15 ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix=“” ipsec-policy=out,ipsec

16 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix=“”

17 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=“”

18 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

19 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=“”
[admin@MikroTik] >

The firewall rules only aren’t enough. A full config is needed:

/export file=anynameyouwish (minus sensitive info like serial numbers, public IPs, etc.)

here it is:

[admin@MikroTik] >
[admin@MikroTik] > /export

2025-06-28 15:34:50 by RouterOS 7.19.2

software id = WN6F-MRSV

model = C53UiG+5HPaxD2HPaxD

serial number = ************

/interface bridge
add admin-mac=************** auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Italy .mode=ap .ssid=ssid5g disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-n disabled=yes frequency=2412 name=channel_01_OFDM width=20mhz
add band=2ghz-n disabled=yes frequency=2417 name=channel_02_OFDM width=20mhz
add band=2ghz-n disabled=no frequency=2422 name=channel_03_OFDM width=20mhz
add band=2ghz-n disabled=yes frequency=2427 name=channel_04_OFDM width=20mhz
add band=2ghz-n disabled=yes frequency=2432 name=channel_05_OFDM width=20mhz
add band=2ghz-n disabled=yes frequency=2437 name=channel_06_OFDM width=20mhz
add band=2ghz-n disabled=yes frequency=2442 name=channel_07_OFDM width=20mhz
add band=2ghz-n disabled=yes frequency=2447 name=channel_08_OFDM width=20mhz
add band=2ghz-n disabled=yes frequency=2452 name=channel_09_OFDM width=20mhz
add band=2ghz-n disabled=yes frequency=2457 name=channel_10_OFDM width=20mhz
add band=2ghz-n disabled=yes frequency=2462 name=channel_11_OFDM width=20mhz
add band=2ghz-n disabled=yes frequency=2467 name=channel_12_OFDM width=20mhz
add band=2ghz-n disabled=yes frequency=2472 name=channel_13_OFDM width=20mhz
/interface wifi
set [ find default-name=wifi2 ] channel=channel_03_OFDM configuration.country=Italy .mode=ap .ssid=ssid2g disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/ip pool
add name=default-dhcp ranges=192.168.88.150-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.3 client-id=1:48:a9:8a:a6:6c:fe mac-address=48:A9:8A:A6:6C:FE server=defconf
add address=192.168.88.4 client-id=1:30:9c:23:23:2b:ec mac-address=30:9C:23:23:2B:EC server=defconf
add address=192.168.88.2 client-id=1:48:a9:8a:a6:6c:51 mac-address=48:A9:8A:A6:6C:51 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="L2TP over IPsec VPN" dst-port=500,4500,1701 protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="L2TP debug " disabled=yes log-prefix=temp6 src-address=192.168.1.4
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.1.10 dst-port=12745 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.4 to-ports=12745
add action=dst-nat chain=dstnat dst-address=192.168.1.10 dst-port=53192 in-interface-list=WAN protocol=udp to-addresses=192.168.88.4 to-ports=53192
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ppp secret
add local-address=192.168.90.1 name=andrea profile=default-encryption remote-address=192.168.90.10 service=l2tp
/system clock
set time-zone-name=Europe/Rome
/system logging
add disabled=yes prefix=temp6
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=ntp1.inrim.it
add address=ntp2.inrim.it
add address=time.inrim.it
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=
"\r
\n :if ([system leds settings get all-leds-off] = "never") do={\r
\n /system leds settings set all-leds-off=immediate \r
\n } else={\r
\n /system leds settings set all-leds-off=never \r
\n }\r
\n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r
\n :foreach iface in=[/interface/wifi find where (configuration.mode="ap" && disabled=no)] do={\r
\n /interface/wifi wps-push-button $iface;}\r
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

The configuration is flawless with a minor exception that is irrelevant, so the only explanation is that the 192.168.1.0 router doesn’t forward the necessary ports and protocols to the MT (UDP 500,1701,4500 and IPsec ESP).

The minor exception is this unnecessary route that I don’t know how it even exists:

/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=”" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

thanks! UDP ports are correctly forwarded but, as per Firewall filter rules to allow incoming IPSec packets - are they really needed? , I suspect that ipsec ESP is my problem: I will try to understand if and how I can enable ipsec-esp traversing my non-mikrotik modem-router. Obviously, this is not a mikrotik issue.

thanks for your help!

Hi,

You have NAT, you can’t have NAT when using psk type authentication these days.
Also you should make use-ipsec=required (Though clients probably require it)
The following might be useful.

? What do you mean you can’t use PSK and NAT together? One is an authentication algorithm, the other is an IP mechanism to change the source or destination address of a packet

https://forum.mikrotik.com/t/how-to-setup-ikev2-psk-on-sub-routeros-behind-nat-and-main-router-is-routeros/183328/2

modern(ish) clients refuse to connect (using psk) if the ip address of the server is not the ip address they are connecting too, the nat-t negotion tells the client what the actual ip address is they are connecting too. (Common case is Server is behind nat)
As noted in the link above you can bypass it with a bit of double nat. Probably a good reason to avoid psk (except maybe where the PSK is known to very very few people/devices)

Hi all, you are both right - that depends on the context: I fixed it changing some client options as per Can`t open connection to L2tp server via port forwarding - #4 by tdw and https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-l2tp-ipsec-server-behind-nat-t-device

regards

Andrea M