I got some questions about how to configure Mikrotik to act as L2TP Server with IPsec encryption for mobile clients. I know this is not exactly in the line of this blog oriented on enterprise networks, but it’s network technology in the end so I’ll try to cover it here.

Before we start, please make sure that your Mikrotik build-in firewall is configured in such way that it can accept packets on the WAN interface. You can check my article on IPsec VPN Mikrotik to Cisco for firewall configuration.

Another important part is that I’m using RouterOS v6.24 in the below scenario. In earlier versions some configurations are a bit different, but you’ll figure it out as I will explain where is really important.

1. Add a new IP Pool

It’s not mandatory if you already have a IP Pool, but I assume you don’t and we need to add one.

GUI

IP > Pool

Add a new pool

CLI

L2TP Configuration

1. Configure L2TP Profile

Before adding a new L2TP Server, we need to add a new L2TP Profile. We can use also the default one, but I don’t like to mix things.

GUI

PPP > Profiles

The rest of values can be left on default value.

CLI

2. Add a L2TP-Server

GUI

PPP > Interface > L2TP Server

CLI

3. Add PPP Secrets

GUI

PPP > Secrets

Let the rest as default.

CLI

IPsec Configuration

On IPsec configuration, you can use the default configuration (like Proposals) but I would suggest to let those as default and add your new ones. In case that you already have some IPsec configuration which is already working and using the default configuration we don’t want to mess with that.

1. IPsec Proposals

GUI

IPsec > Proposals

CLI

Something to mention here. In version previous than 6.xx, you can pick only one encryption algorithm, if I remember correctly. You cannot add multiple algorithms (like 3des and aes-256 above). If this is the case, be sure to stay with 3des. I know it offer less security, but for some reason I could not force Microsoft Windows to work on L2TP via aes-256.

2. IPsec Peers

GUI

IPsec > Peers

CLI

IMPORTANT

The value of the Secret field above, MUST be the same as in L2TP Configuration, Step 2.
Also, if your RouterOS support only one encryption algorithm, then pick 3des.

3. IPsec Policies

GUI

CLI

Below, I’ll add two examples how to configure the iPhone and Microsoft Windows to work with the above configuration.

iPhone

Go to Settings, VPN section and Add VPN Configuration…

It will look like this:

iPhone L2TP Configuration

The Server is the public IP address or FQDN of your Mikrotik. Account and Password are the one defined in L2TP Configuration Step 3. (MYUSER and MYPASSWORD in the example above). Secret , is the IPsec Secret Key defined in L2TP Configuration Step 2. and IPsec Configuration Step 2. (MYKEY in the example).

PC with Microsoft Windows

1. Add a new VPN connection

Add New VPN Connection

2. Pick the option Use my Internet connection

Chose VPN type

3. Add Mikrotik L2TP Server details

Add L2TP Mikrotik details

4. Add the user and password

Add L2TP user

Add this point Windows 7 force me to hit Connect. I will not work yet. Please follow the next steps.

You need to reach the Properties of your new VPN connection.

5. Configure the VPN Security settings.

Be sure to have the settings like in image below, to force encryption and use mschap2 protocol.

L2TP VPN Security

6. Set the IPsec Secret key

Hit the Advanced button and set the IPsec key

L2TP IPsec Key

Hit Connect and it will work. If you have questions please be sure to add them to Comments.

Mikrotik L2TP with IPsec for mobile clients
Tagged on:                 

36 thoughts on “Mikrotik L2TP with IPsec for mobile clients

  • January 30, 2015 at 02:24
    Permalink

    This has been a huge help but, I’m still struggling. I can make the connection just fine. However, once on the target network and receiving an IP address from the dhcp server, I can’t connect to (or even ping) other devices on the subnet. Yes, I have enabled arp-proxy on my LAN interface and, no, I see no difference once enabled. Is there something (likely simple) else I may be missing?

    Reply
    • May 22, 2015 at 10:10
      Permalink

      MPLS missing. Configure that and other devices will be visible.

    • December 4, 2015 at 15:37
      Permalink

      You need to add a static route point back to the VPN interface, for example my VPN pool I’musing 192.168.99.0/24
      /ip route add distance=1 dst-address=192.168.99.0/24 gateway=[your l2tp interface]

  • June 5, 2015 at 11:40
    Permalink

    Phase 1 negotiation failed due to time up 192.168.1.1[500]34.128.0.178[500]43f762354…:5674a8462g5….

    Reply
  • June 5, 2015 at 12:27
    Permalink

    “Invalid length of payload.”

    Reply
  • June 24, 2015 at 03:30
    Permalink

    Thanks so much for this! I was stuck dead in the water at “resent phase 1 packet” until I read this. I opened up UDP 4500, and that broke the dam. Just a couple more minor things to tweak, and I had my first L2TP/iPhone connection operational.

    Reply
  • September 11, 2015 at 07:25
    Permalink

    need add net firewall rule to work

    Chain: input
    Protocol: 17 UDP
    DST Port: 500
    In Interface: ether1-gateway (or whatever your WAN interface name is. Choose it from the drop down list)
    Connection state: new

    action : accept

    Reply
  • September 14, 2015 at 12:49
    Permalink

    Hi!
    This configuration isn`t working at android phone? Or need some other config?

    Reply
  • January 11, 2016 at 07:21
    Permalink

    When using the above settings if you “accidentally” check the box in the Windows 7 client for using certificates instead of the secret passphrase, then the client will connect to the server regardless without even entering a passphrase. This is on an RB850Gx2. The protocol switches from normally sha1 + aes to MPPE128 stateless. Any idea why this happens. We expect the client to be required to use the secret passphrase and not connect with only the username and password. Thanks!

    Joel

    Reply
  • February 17, 2016 at 20:02
    Permalink

    Working on Windows Phone 8.1, thanks! Finally a VPN I can use while waiting for WP10!

    Reply
    • February 18, 2016 at 13:19
      Permalink

      idea (if right) to use “3des” only rather than “3des, aes-256”

    • August 17, 2016 at 03:24
      Permalink

      In addition to Green’s update, the firewall configuration requires port 1701 to be opened (for iPhone 6s, iOS9)

  • August 1, 2016 at 14:16
    Permalink

    i also needed to open udp/1701 despite it “should” not be opened in theory.
    [8/1/2016 9:31:27 PM] 21:26:24 firewall,info input: in:ether1-gateway out:(none), src-mac MM, proto UDP, AA:19569->BB:4500, len 92
    [8/1/2016 9:31:27 PM] 21:26:24 firewall,info input: in:ether1-gateway out:(none), src-mac MM, proto UDP, AA:19569->BB:4500, len 160
    [8/1/2016 9:31:27 PM] 21:26:24 firewall,info input: in:ether1-gateway out:(none), proto UDP, AA:58272->BB:1701, len 101
    [8/1/2016 9:31:27 PM] 21:26:25 firewall,info input: in:ether1-gateway out:(none), src-mac MM, proto UDP, AA:19569->BB:4500, len 96
    [8/1/2016 9:31:27 PM] 21:26:25 firewall,info input: in:ether1-gateway out:(none), proto UDP, AA:58272->BB:1701, len 48

    AA is an external ip of vpn client
    BB is an external ip of vpn server

    Reply
  • September 11, 2016 at 07:48
    Permalink

    Hello, it seems to me there is a bug with the Nexus 5 (my android is up to date). I have done everything in the tutorial and verified many times for errors but still My Nexus client doesn’t connect. Any help?

    Reply
  • September 14, 2016 at 03:44
    Permalink

    I only got the error “no configuration found for 87.129.xxx.xxx” (This is the public IPv4 from my iPhone at this time. It will not connect!

    Any hints?

    Reply
  • September 26, 2016 at 07:11
    Permalink

    Here are the ports and protocols:

    Protocol: UDP, port 500 (for IKE, to manage encryption keys)
    Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode)
    Protocol: ESP, value 50 (for IPSEC)
    Protocol: AH, value 51 (for IPSEC)

    Also, Port 1701 is used by the L2TP Server, but connections should not be allowed inbound to it from outside. There is a special firewall rule to allow only IPSEC secured traffic inbound on this port.

    I found I don’t need ESP & AH as I’m not using IPSEC directly but IPSEC over L2TP with NAT. So I am able to get away with ports 500,4500,1701. Interesting comment about the special rule for 1701. I’ll have to try that as soon as I figure out how to configure it with Mikrotik. – Matt Sep 18 ’14 at 23:08

    Reply
  • September 27, 2016 at 02:14
    Permalink

    I feel that you should probably add a firewall section to this tutorial. As most installations are going to have a filter rules and nat rules.

    I have followed tutorial and I am stuck, I get Phase 1 negotiation failed due to time up in the log of the Mikrotik “Server”.

    Reply
    • October 23, 2016 at 12:05
      Permalink

      I’ll try to add it, but lately I was really busy with some other projects.

  • October 6, 2016 at 03:01
    Permalink

    Thank you for a great tutorial! – One question I would have though. Why is the ipsec secret entered twice (/interface l2tp-server server & /ip ipsec peer)? Especially as these have to be the same.

    Reply
  • October 13, 2016 at 12:44
    Permalink

    Hi,
    I have set, all as here described but have this error:
    The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.
    Please can you help me what I do wrong, or what i need to repair?
    I have tested it with added firewall roles for all udp 500, 17001, 4500 and IP-ESP, IP-AH input ports.

    Reply
    • October 13, 2016 at 12:52
      Permalink

      I test it with macOS Sierra, iOS 10 and MikroTik 6.37.1

    • October 17, 2016 at 23:16
      Permalink

      I have set it exactly as described but have still the same error.
      Please is possible to help me and tell me what I done wrong?
      Thanks.

    • October 23, 2016 at 12:03
      Permalink

      What happens if you turn the firewall off completely for a few moments and try to test? Does it work?
      There can be multiple issues for what you describe, but there is too less information to give you a definitive answer.

  • November 15, 2016 at 18:33
    Permalink

    muchas graciass excelenteee tutoriallll!!

    Reply
  • January 4, 2017 at 23:46
    Permalink

    Finally a blog explaining how to do this and it actually works… thank you very much!

    Reply
    • February 1, 2017 at 23:18
      Permalink

      Thanks for your positive feedback :)

  • January 29, 2017 at 11:38
    Permalink

    I followed it step-by-step and worked as charm, after I disabled a firewall’s rule blocking all incoming connexations.

    Reply
  • May 12, 2017 at 05:47
    Permalink

    Great work! work for me in win7 & samsung S7 at first try :-)

    just 1 question (problem)
    in the mikrotik I have 4 differant network
    10.0.0.0/24
    10.0.1.0/24
    10.0.2.0 /24
    10.0.3.0/24

    when I connect I can only go to 10.0.2.0 /24

    any reason for it?
    what do I need to add?
    (when I connect to the mikrotik by cable I get access to all networks….)

    Thanks ,

    Reply
  • June 17, 2017 at 16:15
    Permalink

    Hello, my vpn with l’IPhone is ok, but this vpn with Windows, is not good..I have the same configuration as you under Windows
    a idea ?

    Reply
  • Pingback: Mikrotik L2TP with IPsec for mobile clients | My Blog

  • July 7, 2017 at 07:54
    Permalink

    Hello, my vpn with l’IPhone is ok, but this vpn with Windows, is not good..I have the same configuration as you under Windows
    a idea ?

    Reply

Leave a Reply

%d bloggers like this: