L2TP/IPSec with Windows 7. Simple guide?

razza · August 25, 2012, 10:49pm

I have read (and tried) a few of the articles found on the wiki and elsewhere on the web (e.g. http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP ).
Is there a very simple guide to getting L2TP/IPSec working with Windows7 and my MikroTik using pre-shared keys?

My Mikrotik is directly connected to the internet and runs the PPPoE client with DHCP. The local LAN address space is 192.168.10/0/24. I want to be able to access any devices on my home subnet from my remote Windows7 machine directly connected to the internet.

Please be gentle I am not a routing/security expert! Thanks in advance.

jaytcsd · August 28, 2012, 3:46am

I used the wiki examples on my Win 7 starter netbook. I can connect to my VPN and use remote desktop but I can’t copy files like I could under XP. I’m guessing this is a win 7 networking issue but have not found a solution so far. No one here has been able to help.

I’m going to try SSTP to see if that helps.

Intrepid · August 28, 2012, 7:11am

razza: I have recently setup L2TP/IPSEC VPN in a network just like yours, And it works great with XP, Android, Win7, IOS with mobile and local networks behind NAT…
Try moving the firewall rules to the top if you have trouble to connect…

/ppp profile
add change-tcp-mss=yes dns-server=192.168.1.254 local-address=172.21.16.254 \
    name=VPN-server only-one=no remote-address=VPN-server use-compression=\
    default use-encryption=default use-ipv6=no use-mpls=default \
    use-vj-compression=default wins-server=192.168.1.3
set 3 change-tcp-mss=yes name=default-encryption only-one=default \
    use-compression=default use-encryption=required use-ipv6=no use-mpls=\
    default use-vj-compression=default

/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=user password=passwd \
    profile=VPN-server routes="" service=l2tp

/ip pool
add name=VPN-server ranges=172.21.16.100-172.21.16.200

/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=VPN-server enabled=yes \
    max-mru=1460 max-mtu=1460 mrru=disabled

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key comment="COMPANY VPN" \
    dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 \
    enc-algorithm=3des exchange-mode=main-l2tp generate-policy=yes \
    hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes port=\
    500 secret=secret_password send-initial-contact=yes

/ip firewall filter
add action=accept chain=input comment="L2TP VPN" disabled=no dst-address=\
    xx.xx.xx.xx dst-port=500,4500,1701 protocol=udp
add action=accept chain=input comment="L2TP VPN" disabled=no protocol=ipsec-esp
add action=accept chain=output comment="L2TP VPN" disabled=no dst-address=\
    xx.xx.xx.xx dst-port=500,4500,1701 protocol=udp

/system logging
add action=memory disabled=no prefix="" topics=ipsec
add action=memory disabled=no prefix="" topics=radius

jaytcsd · August 28, 2012, 1:47pm

This works also.
/ip ipsec peer> pr
Flags: X - disabled
0 address=0.0.0.0/0 port=500 auth-method=pre-shared-key
secret=“hey_moe” generate-policy=yes exchange-mode=main
send-initial-contact=yes nat-traversal=yes my-id-user-fqdn=“”
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd
dpd-maximum-failures=1

I only use mschap2 and that’s not recommended now, need something stronger crypto wise.