Configure a VPN server using L2TP IPSec with Mikrotik RouterOS

Posted by Carles Loriente on August 02, 2020 · 1 min read

The following file (rsc) for Mikrotik RouterOS v6.45+ configures an VPN usign L2TP


# Mikrotik RouterOs L2TP/IPSec VPN Full configuration

/interface bridge
add fast-forward=no name=bridge

/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full

/interface bridge port
add bridge=bridge hw=no interface=ether1

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0

/system clock
set time-zone-name=Europe/Dublin

/system identity
set name=mikrotik_vpn

/system ntp client
set enabled=yes server-dns-names=pool.ntp.org

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ip pool
add name=pool-vpn ranges=10.1.1.2-10.1.1.250

/ip ipsec peer
add name=l2tpserver passive=yes

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des

/ip ipsec mode-config
add address-pool=pool-vpn name=cfg1 static-dns=8.8.8.8 system-dns=no

/ppp profile
add bridge=bridge local-address=pool-vpn name=profile-vpn remote-address=pool-vpn
add bridge=bridge dns-server=8.8.8.8 local-address=pool-vpn name=ipsec_vpn remote-address=pool-vpn

/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec_vpn enabled=yes

/ip dhcp-client
add !dhcp-options disabled=no interface=ether1
add disabled=no interface=bridge

/ip firewall filter
add action=accept chain=input protocol=ipsec-esp

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge src-address=10.1.1.2-10.1.1.250
add action=accept chain=srcnat

/ip ipsec identity
add generate-policy=port-override peer=l2tpserver secret="ChangeThisSecret"

/ppp secret
add name=vpn_user password="ChangeThisPasword" profile=profile-vpn service=any

Download the GitHub Gist mikrotik_routeros_vpn-l2tp-ipsec.rsc

Found a snippet that saved your day? Consider dropping a tip!

← Previous Post Next Post