maybe you need some help with replicating? 
))
It works, but specific settings are needed in RouterOS. We have added which settings iOS supports in this article section:
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Apple_iOS_.28iPhone.2FiPad.29_Client
Okay, my mistake was trying to set up l2tp+ipsec for iphone clients.
Understood, that we need ipsec with pre-shared key and xauth for using āCiscoā ipsec in Iphone
Went here http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf
And tried to set it up.
My config(192.168.0.0/24 is workstation network, 192.168.3.0 is server network)
export_ipsec.rsc (8.8 KB)
My log:
log_ipsec.txt (66.5 KB)
The iPhone error is āError when negotiating the serverā. Maybe in English it sounds a little different. I have Russian-languaged iPhone
If your device is behind NAT then try to enable NAT-T in peers config.
Ok! Itās connected. Problem was not only in nat-t. In proposal we had no Auth Methods checked.
But iPhone canāt access computers in 192.168.0.0/24 network. Even Ping to 192.168.0.1(Mikrotik IP address) doesnāt work
Because you are giving out ip addresses to ipsec tunnels from the same 192.168.0.0/24 subnet. Use different address range or set up proxy arp.
I canāt understand, why in manual http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf addresses for tunnel are the same as in āinsideā network
Changed RW-pool:
[admin@MikroTik] /ip pool> print
# NAME RANGES
1 ipsec-RW 192.168.200.200-192.168.200.205
Now we have error while connecting from iphone: āError when negotiating the serverā
And have you changed also policy templates to match new addresses?
Already understood that. Everything is ok. Thanks for help.
Hi,
I have successfully connected via ipsec xauth in road warrior setup as in the manual using the same subnet as in target network.
I have enabled proxy arp on the bridge interface (includes wireless and ethernet ports) and I can connect via VPN successfully, but I cannot reach hosts on internal network. I can reach router just fine.
Iām connecting from Mac OS X 10.9.2.
This is for Posterity:
Googling issues with Apple iOS 9 Mikrotik and L2TP VPN lead me to this Post.
I had many troubles and finally got it to work. I will post my commands below to hopefully save others some headache. 
this assumes some default configuration on the router:
local subnet 192.168.1.0/24
router address 192.168.1.1
dhcp pool 192.168.1.100 - 192.168.1.200
/interface l2tp-server server
set default-profile=l2tp-profile enabled=yes ipsec-secret=MyIpsecSecret use-ipsec=yes
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=192.168.1.1 name=l2tp-profile \
remote-address=dhcp use-encryption=yes
/ppp secret
add local-address=192.168.1.201 name=myPppUser password=myPppPassword profile=default-encryption remote-address=\
192.168.1.202 service=l2tp
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1,sha256,sha512 enc-algorithms=\
aes-128-cbc,aes-256-cbc,aes-128-ctr,aes-256-ctr lifetime=8h pfs-group=none
/ip ipsec peer
add dpd-interval=2s enc-algorithm=aes-128,aes-256 exchange-mode=main-l2tp generate-policy=port-override \
secret=MyIpsecSecret
/interface ethernet set 0 arp=proxy-arp
/interface bridge set 0 arp=proxy-arp
These commands should be all that is needed for a successful connection with an iOS device running 9.2+, and a Mac running 10.10+
Kyle.
Hello. I tried to setup L2TP/IpSec with Ipad mini 2 on IOS v. 9.3.5 and ROS 6.36.3, but with no success.
Here is my config:
/ip ipsec peer> print
Flags: X - disabled, D - dynamic
0 address=0.0.0.0/0 local-address=:: passive=yes port=500 auth-method=pre-shared-key-xauth
secret="secret" generate-policy=port-override policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=no nat-traversal=yes hash-algorithm=sha1 enc-algorithm=aes-256,aes-128
dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
/ip ipsec proposal> print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha512,sha256,sha1,md5
enc-algorithms=aes-256-cbc,aes-256-ctr,aes-128-cbc,aes-128-ctr lifetime=8h pfs-group=none
/ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
Debug log attached. Please Help.
IpSec-log.txt (85.4 KB)
It doesnāt work because on ipad you have selected to use ipsec with xauth and modeconf, not ipsec/l2tp.
thank you, it was client-side mistake. Ipad have 3 vpn types, itās pptp, l2tp = l2tp/ipsec and ipsec=cisco ipsec (wo l2tp)
Hi all,
Since iOS 10 not support PPTP I tried L2TP VPN.
It works perfectly via my WiFi, but not worked via mobile 4G Internet.
From the client side I got:
The L2TP-VPN server did not respond
In the ROS log I got this:
08:36:02 l2tp,info first L2TP UDP packet received from 37.104.222.180
08:36:33 ipsec,error key length mismatched, mine:128 peer:256.
08:36:33 ipsec,error key length mismatched, mine:192 peer:256.
Does this mean that L2TP VPN just blocked on 4G mobile Internet or I can do something with my ROS settings?
Did you ever figure out how to get the L2TP with VPN for the iOS 10 to work? Iām not having any luck following any of the forumsā¦
I would really appreciate some help.
Thanks,
Lynn
Look at this post:
http://forum.mikrotik.com/t/super-easy-vpn-for-macos/102865/6
Youāll need to select āSend all traffic through VPNā (or similar) on the client device.
-Chris