L2TP/IPSEC Server on v6.37.1

Dear Mikrotik colleagues

I have been troubles to create a VPN Server in a Mikrotik device ( RB450G v6.37.1 )

I need to create a simple L2TP server connection with my clients, but i am still find configuration problems that i dont know how to fix it

Mi Network is simple:
192.168.1.1 my NAT Router
Mikrotik ether1= 192.168.1.11/24

I just want to create a L2TP/IPSEC server to connect remote devices ( any public IP) to my network

Do i need to configure remote pool in the same network of my LAN ? or other diferent ?
Could somebody help me to configure it ?

Ports ( 1701, 500, 4500 UDP are already oppened )

IP pool for VPN:
VPN-pool 10.0.31.101-10.0.31.199

PPP Profile:
name=“VPN-server” local-address=10.0.31.1 remote-address=VPN-pool
use-mpls=default use-compression=default use-encryption=default
only-one=default change-tcp-mss=yes use-upnp=default address-list=“”
on-up=“” on-down=“”

IPSEC export config:
/ip ipsec mode-config
add address-pool=VPN-pool name=L2TP-cfg split-include=192.168.1.0/24
/ip ipsec policy group
add name=VPN-group
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-strict
policy-template-group=VPN-group secret=xxxxxxxxxx send-initial-contact=no
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 group=VPN-group protocol=ipsec-esp src-address=
0.0.0.0/0
/ip ipsec user
add name=user1 password=user1

Please, anybody can help me ?
Its critical for me

I can even economically reward if someone is able to help me and leave it running

Are you going to be connecting individual computers or whole networks/Offices buildings?

Thanks for your answer,

I will connect individual devices, PC, Androids, MACs …

I’m in need of some clarification what are you trying to do? Do they need to access network resources like server and networked share files and folders ect?

So I know how to best help you?

Yes,

Is a simple network:
ISP Router - 192.168.1.1/24 - Public IP X
Guests connect to this router by Wireless or Ethernet ( 192.168.1.0/24 )
Windows Server 2012 with shared folders and resources - 192.168.1.100

Mikrotik is connected to ISP Router througth ether1
ether1: 192.168.1.11/24

Guest should can connect through any Public IP with their Androids or PCs and see shared folders for example

Config loaded in Mikrotik:

# RouterOS 6.40.5
# model = 450G

/ip address
add address=192.168.1.11/24 comment=ToWAN interface=ether1 network=\
    192.168.1.0
	
/ip dns
set servers=8.8.8.8,192.168.1.1

/ip pool
add name=VPN-pool ranges=192.168.111.11-192.168.111.33

/ppp profile
add change-tcp-mss=yes local-address=192.168.111.1 name=VPN-server \
    remote-address=VPN-pool use-encryption=yes
	
/ppp secret
add comment=User1 name=user1 password=user1 profile=VPN-server
add comment=User2 name=user2 password=user2 profile=VPN-server
add comment=User3 name=user3 password=user3 profile=VPN-server	

/interface l2tp-server server
set default-profile=VPN-server enabled=yes ipsec-secret=secret123 max-mru=\
    1460 max-mtu=1460 use-ipsec=yes
/interface l2tp-server
add name=user1-L2TP user=user1
add name=user2-L2TP user=user2
add name=user3-L2TP user=user3

/ip ipsec policy group
add name=FisaVPN
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip ipsec mode-config
add address-pool=VPN-pool name=VPN-cfg split-include=192.168.1.0/24

/ip ipsec peer
add auth-method=pre-shared-key-xauth dh-group=modp1024 generate-policy=\
    port-strict hash-algorithm=md5 mode-config=VPN-cfg nat-traversal=no \
    passive=yes policy-template-group=FisaVPN secret=secret123
add auth-method=pre-shared-key-xauth dh-group=modp1024 generate-policy=\
    port-strict hash-algorithm=md5 mode-config=VPN-cfg passive=yes \
    policy-template-group=FisaVPN secret=secret123

	/ip ipsec policy
set 0 group=FisaVPN
add dst-address=192.168.111.0/24 group=FisaVPN src-address=192.168.1.0/24 \
    template=yes
add dst-address=192.168.1.0/24 group=FisaVPN src-address=192.168.111.0/24 \
    template=yes

	/ip ipsec user
add name=user1 password=user1
/ip route
add distance=1 gateway=192.168.1.1	

/ip firewall filter
add chain=input comment=IPsec dst-port=500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=4500 protocol=udp
add chain=input comment=L2TP dst-port=1701 protocol=udp

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.111.0/24

There are a few different ways you can go about this.

I would look at this and tell me what you think.

I would go with a Road Warrior setup.

Setup is as follows:

ip pool
add name=VPN-pool ranges=192.168.111.11-192.168.111.33

/ip ipsec mode-config
add address-pool=VPN-pool name=VPN-cfg split-include=\ 192.168.1.0/24

/ip ipsec policy group
add name=VPN

/ip ipsec policy
add dst-address=192.168.111.0/24 group=VPN src-address=192.168.1.0/24
template=yes


Now we just add xauth users and peer with enabled Mode Conf and policy group.

Change user names and psswords

/ip ipsec user
add name=user1 password=123
add name=user2 password=234

/ip ipsec peer
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=VPN-cfg
policy-template-group=VPN secret=123 passive=yes


For Android

/ip ipsec policy
add group=VPNA dst-address=192.168.111.0/24 src-address=0.0.0.0/0 template=yes


P.S. You might have to do some port forwarding on your ISP Router or depending on who is your ISP you can request that modem be bridged and then you would get a public IP on Ethernet port1 on your Mikrotik.
I would get my modem bridged. If it was me However, it is up to you.

Let me know what you think. and if you need any more help.

Thanks BlueTechnomage

I just do this changes in my Mikrotik,
I test the connection with Android

i can not keep it working

Just download and install higher version, minimum 6.38.5, max 6.40.4. Go in L2TP server. As soon as you enable IPsec and set pre-shared key, in IP- IPsec will automaticly be ipsec default peer, which can accept android ipsec requests. In l2tp profile use default or default-encryption profile. Make your l2tp config as much easier as you can.

Latest version loaded in Mikrotik: v6.40.5. latest current version

My Network

I configured the connection like RoadWarrior
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ipsec.2FL2TP_behind_NAT
IPSEC config:

/ip address
add address=192.168.1.11/24 comment=ToWAN interface=ether1 network=\
    192.168.1.0

/ip pool
add name=ipsec-RW ranges=10.10.10.2-10.10.10.150

/ip ipsec mode-config
add address-pool=ipsec-RW name=RW-cfg split-include=\
    192.168.1.0/24

/ip ipsec policy group
add name=RoadWarrior

/ip ipsec policy
add dst-address=10.10.10.0/24 group=RoadWarrior src-address=192.168.11.0/24 \
    template=yes
add dst-address=10.10.10.0/24 group=RoadWarrior src-address=192.168.1.0/24 \
    template=yes

/ip ipsec user
add name=user1 password=user1
add name=user2 password=user2

/ip ipsec peer
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RW-cfg \
    policy-template-group=RoadWarrior secret=secret123 passive=yes

/ip ipsec peer
add address=2.2.2.2 auth-method=pre-shared-key-xauth generate-policy=port-strict secret=secret123 \
     xauth-login=user1 xauth-password=user1 mode-config=request-only

/ip ipsec proposal
set default enc-algorithms=aes-128-cbc,aes-256-cbc lifetime=8h \
    pfs-group=none

/ip ipsec policy
add group=RoadWarrior dst-address=10.10.10.0/24 src-address=0.0.0.0/0 template=yes

Log after a connection attempt:

I need to leave this connection working.
I can not find the problem and nobody can help me to leave it correctly configured

Why you didn’t use nat-traversal to ipsec peer?

nat-traversal is set yes

I’ve been trying the connection again and I’ve made some progress

I changed the IPSec authentication to PSK Xauth
In these moments the IPSex tunnel is done correctly
I’ve been testing it with an Android,

However, I can not configure it as an L2TP / IPSEC VPN, but as IPSEC PSK Xauth
The problem is that Windows10 does not give the option of this connection method

What could I do ?
At this time I have also configured the L2TP server but it seems that with this configuration is not in use

How can I configure it for Windows? (L2TP / IPSEC)

Under Peers change the auth Method to just per shared key with out the xauth and then try to connect the windows 10 computer.

Follow configuration example for the manual, it works with both windows and android:
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Basic_L2TP.2FIpSec_setup

Thanks All

L2TP/IPSec working!
Post can be set like Solved

Bellow working config:

/interface l2tp-server
add name=user1-L2TP user=user1
/ip ipsec policy group
add name=RoadWarrior
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des lifetime=8h pfs-group=none
/ip pool
add name=ipsec-RW ranges=10.10.10.2-10.10.10.150
/ip ipsec mode-config
add address-pool=ipsec-RW name=RW-cfg split-include=\
    192.168.1.0/24
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=10.10.10.1 \
    name=VPN-server remote-address=ipsec-RW use-encryption=yes
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN-server enabled=yes \
    ipsec-secret=secret123 max-mru=1460 max-mtu=1460 use-ipsec=yes
/ip firewall filter
add action=accept chain=input comment="Permitir IPsec" dst-port=500 protocol=\
    udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="Permitir L2TP" dst-port=1701 protocol=\
    udp
/ip ipsec peer
add comment=Android compatibility-options=skip-peer-id-validation \
enc-algorithm=aes-256,aes-192,aes-128,3des,des generate-policy=\
port-strict mode-config=RW-cfg passive=yes policy-template-group=\
RoadWarrior secret=secret123
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add comment=Android disabled=yes dst-address=10.10.10.0/24 group=RoadWarrior \
src-address=192.168.11.0/24 template=yes
add comment=Android disabled=yes dst-address=10.10.10.0/24 group=RoadWarrior \
src-address=192.168.1.0/24 template=yes
add comment=Android disabled=yes dst-address=10.10.10.0/24 group=RoadWarrior \
src-address=0.0.0.0/0 template=yes
add comment=TEST dst-address=0.0.0.0/0 group=RoadWarrior src-address=\
0.0.0.0/0 template=yes
/ip ipsec user
add name=user1 password=user1
/ppp secret
add name=user1 password=user1 profile=VPN-server service=l2tp

Hi guys and Carherbla,

I have copied the script you have provided I am still having issues with my L2TP VPN I have added the secret key on my Win10 computer and vpning into the router IP address I keep getting 789 error could you please help.
(New Mikrotik User)

Thanks