modified on 3 March 2013 at 18:21 ••• 46,355 views

L2TP + IPSEC between 2 Mikrotik routers

From MikroTik Wiki

Jump to: navigation, search

L2TP is a protocol used to support VPNs and it does not provide any encryption or confidentiality by itself - it relies on an encryption protocol that it passes within the tunnel to provide privacy. Because of that, it is often implemented along with IPsec. This is referred to as L2TP/IPsec.

Network layout for this example:

Example network layout


The process of setting up an L2TP/IPsec VPN between two Mikrotik routers is as follows:

Server side

On the server side we first create an user who will connect to the server: (Be sure to set a complex password and a longer username)

/ppp secret add caller-id="" comment="Some description" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 local-address=10.0.16.9 name=ka password=ka profile=default \
remote-address=10.0.16.10 routes="" service=l2tp

Then we create a L2TP server interface for the created user:

/interface l2tp-server add disabled=no name=l2tp-ka user=ka

Creating the server interface is not nececery for all this to work since the ROS will dynamicly create the interface each time the user authenticates, but will ease creation of firewall rules.

Enable the server:

/interface l2tp-server server set authentication=pap,chap,mschap1,mschap2 \
default-profile=default-encryption enabled=yes max-mru=1460 max-mtu=1460 mrru=disabled

Create a ipsec proposal:

/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024

Create an ipsec policy:

/ip ipsec policy add action=encrypt disabled=no dst-address=10.1.16.0/28 \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
sa-dst-address=10.0.16.10 sa-src-address=10.0.16.9 src-address=10.0.0.0/24 tunnel=yes

Create an ipsec peer:

/ip ipsec peer add address=10.0.16.10/32 auth-method=pre-shared-key \
dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1 \
lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no proposal-check=obey \
secret=test send-initial-contact=yes

Add a route to the client side network:

/ip route add comment=Ka disabled=no distance=1 dst-address=10.1.16.0/28 gateway=10.0.16.10 scope=30 target-scope=10

Don't forget to change the dst-address to your IP range on the client side

Client side

Create a l2tp client interface to connect to the server. Change IP_OF_L2TP_SERVER to an IP address of your server side router.

/interface l2tp-client add add-default-route=no allow=pap,chap,mschap1,mschap2 \
connect-to=IP_OF_L2TP_SERVER dial-on-demand=no disabled=no max-mru=1460 \
max-mtu=1460 mrru=disabled name=l2tp-BL password=ka profile=default-encryption user=ka

Create an ipsec proposal: (identical to one on the server side router)

/ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024

Create an ipsec policy: (similar to the server side policy. note the ip addresses)

/ip ipsec policy add action=encrypt disabled=no dst-address=10.0.0.0/24 \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
sa-dst-address=10.0.16.9 sa-src-address=10.0.16.10 src-address=10.1.16.0/28 \
tunnel=yes

And finaly create an ipsec peer that coresponds to the server side router:

/ip ipsec peer add address=10.0.16.9/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des \
exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d \
my-id-user-fqdn="" nat-traversal=no proposal-check=obey secret=test send-initial-contact=yes

Add a route to the server side network:

/ip route add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=10.0.16.9 scope=30 target-scope=10

Don't forget to change the dst-address to your IP range on the server side


If everything is set correctly, you should see several entrys under /ip ipsec installed-sa