L2TP VPN Server Configuration

L2TP VPN Server Configuration

Version Info

RouterOS 7.16 | Min: v7.0+ | ⏱️ 25 minutes | 🟡 Intermediate

Tested on: 7.16 7.14

Version-specific notes

• v7.x: IPsec configuration simplified with use-ipsec property; dynamic peers auto-created
• v6.x: Same basic configuration works, IPsec peer syntax differs

TL;DR (Quick Start)

L2TP/IPsec VPN Server (for Windows, macOS, iOS, Android clients):

# Create IP pool for VPN clients
/ip pool add name=vpn-pool ranges=192.168.99.2-192.168.99.50

# Create PPP profile
/ppp profile add name=l2tp-profile local-address=192.168.99.1 \
    remote-address=vpn-pool dns-server=8.8.8.8

# Create user credentials
/ppp secret add name=vpnuser password=SecurePass123 service=l2tp profile=l2tp-profile

# Enable L2TP server with IPsec
/interface l2tp-server server set enabled=yes use-ipsec=required \
    ipsec-secret=YourIPsecSecret default-profile=l2tp-profile

# Add firewall rules (before drop rules)
/ip firewall filter add chain=input protocol=udp dst-port=500,4500,1701 action=accept \
    comment="Allow L2TP/IPsec VPN" place-before=0
/ip firewall filter add chain=input protocol=ipsec-esp action=accept \
    comment="Allow IPsec ESP" place-before=1

Overview

What this covers: L2TP/IPsec VPN server configuration for remote access (“road warrior”) scenarios where clients connect from Windows, macOS, iOS, or Android devices.

When to use L2TP/IPsec:

• Remote workers accessing office resources
• Secure access to home network while traveling
• Alternative to PPTP (which is deprecated and insecure)
• When clients don’t support WireGuard or need native OS VPN

Why L2TP with IPsec:

• L2TP alone provides no encryption - it’s just a tunneling protocol
• IPsec provides encryption and authentication
• Combined L2TP/IPsec is supported natively by Windows, macOS, iOS, and Android
• Uses pre-shared key (PSK) authentication for simplicity

Prerequisites:

• MikroTik router running RouterOS 7.x or later
• Public IP address (or properly forwarded ports if behind NAT)
• Understanding of IP addressing and firewall rules

Configuration Steps

Step 1: Create an IP Pool for VPN Clients

VPN clients need IP addresses from a dedicated subnet, separate from your LAN:

/ip pool add name=vpn-pool ranges=192.168.99.2-192.168.99.50

This pool provides 49 addresses for simultaneous VPN connections.

Subnet Selection

Use a different subnet for VPN clients than your LAN. Using the same subnet requires proxy-arp and causes complications. A separate subnet with proper routing is the recommended approach.

Step 2: Create a PPP Profile

The profile defines settings applied to all L2TP connections:

/ppp profile add \
    name=l2tp-profile \
    local-address=192.168.99.1 \
    remote-address=vpn-pool \
    dns-server=8.8.8.8,8.8.4.4 \
    change-tcp-mss=yes

Parameter explanation:

Parameter	Purpose
local-address	Gateway IP for VPN tunnel (router’s address)
remote-address	Pool name or specific IP for clients
dns-server	DNS servers pushed to VPN clients
change-tcp-mss	Adjust MSS to prevent fragmentation issues

Step 3: Create User Credentials

Add users who can connect to the VPN:

/ppp secret add \
    name=vpnuser \
    password=SecurePass123 \
    service=l2tp \
    profile=l2tp-profile

For multiple users:

/ppp secret add name=john password=JohnSecure456 service=l2tp profile=l2tp-profile
/ppp secret add name=jane password=JaneSecure789 service=l2tp profile=l2tp-profile

Optional: Assign static IP to specific user:

/ppp secret add name=admin password=AdminPass service=l2tp profile=l2tp-profile \
    remote-address=192.168.99.100

Step 4: Enable the L2TP Server with IPsec

Enable the L2TP server and require IPsec encryption:

/interface l2tp-server server set \
    enabled=yes \
    use-ipsec=required \
    ipsec-secret=YourStrongIPsecSecret \
    default-profile=l2tp-profile \
    authentication=mschap2,mschap1,chap

Parameter explanation:

Parameter	Purpose
enabled	Turn on the L2TP server
use-ipsec	required = only accept encrypted connections
ipsec-secret	Pre-shared key for IPsec (all clients use this)
default-profile	PPP profile for connections
authentication	Allowed auth methods (avoid PAP for security)

Security

Setting use-ipsec=required ensures all connections are encrypted. Never use use-ipsec=no in production - unencrypted L2TP exposes credentials and data.

Step 5: Configure Firewall Rules

Allow VPN traffic through the firewall. These rules must be placed before any drop rules:

# Allow IKE (IPsec key exchange)
/ip firewall filter add chain=input protocol=udp dst-port=500 action=accept \
    comment="Allow IKE for L2TP/IPsec" place-before=0

# Allow NAT-Traversal (IPsec through NAT)
/ip firewall filter add chain=input protocol=udp dst-port=4500 action=accept \
    comment="Allow NAT-T for L2TP/IPsec" place-before=1

# Allow L2TP (only needed if not using IPsec transport)
/ip firewall filter add chain=input protocol=udp dst-port=1701 action=accept \
    comment="Allow L2TP" place-before=2

# Allow IPsec ESP protocol
/ip firewall filter add chain=input protocol=ipsec-esp action=accept \
    comment="Allow IPsec ESP" place-before=3

Alternative: Single combined rule:

/ip firewall filter add chain=input protocol=udp dst-port=500,4500,1701 action=accept \
    comment="Allow L2TP/IPsec VPN"
/ip firewall filter add chain=input protocol=ipsec-esp action=accept \
    comment="Allow IPsec ESP"

Step 6: Allow VPN Clients to Access LAN

Add a forward rule to allow traffic from VPN clients to your LAN:

/ip firewall filter add chain=forward src-address=192.168.99.0/24 action=accept \
    comment="Allow VPN clients to LAN" place-before=0
/ip firewall filter add chain=forward dst-address=192.168.99.0/24 action=accept \
    comment="Allow LAN to VPN clients" place-before=1

Step 7: Configure NAT (If VPN Clients Need Internet)

If VPN clients should access the internet through the VPN:

/ip firewall nat add chain=srcnat src-address=192.168.99.0/24 \
    out-interface-list=WAN action=masquerade comment="NAT for VPN clients"

Verification

Check L2TP Server Status

/interface l2tp-server server print

Expected Output:

                   enabled: yes
               max-mtu: 1450
               max-mru: 1450
                  mrru: disabled
        authentication: pap,chap,mschap1,mschap2
       default-profile: l2tp-profile
            keepalive-timeout: 30
            allow-fast-path: no
              use-ipsec: required
           ipsec-secret: YourStrongIPsecSecret

View Active VPN Connections

/interface l2tp-server print

Expected Output (when clients connected):

Flags: D - dynamic, R - running
 #    NAME             USER      MTU  CLIENT-ADDRESS   UPTIME
 0 DR <l2tp-vpnuser>   vpnuser   1450 203.0.113.45     1h23m

View PPP Active Sessions

/ppp active print

Check IPsec Status

/ip ipsec active-peers print

Expected Output:

Flags: R - responder, N - natt-peer
 #    ID             STATE  UPTIME
 0 RN 203.0.113.45   established 1h23m

Test Connectivity from VPN Client

After connecting, verify the client received an IP:

/ppp active print detail

Client Configuration

Windows 10/11

1. Settings > Network & Internet > VPN > Add a VPN connection
2. Configure:
   • VPN provider: Windows (built-in)
   • Connection name: My VPN
   • Server name or address: Your public IP or hostname
   • VPN type: L2TP/IPsec with pre-shared key
   • Pre-shared key: YourStrongIPsecSecret
   • Username: vpnuser
   • Password: SecurePass123
3. Click Save, then Connect

Windows Behind NAT

If the Windows client is behind NAT (home router, corporate firewall), you may need to add a registry key:

PowerShell (Run as Administrator):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent" `
    -Name "AssumeUDPEncapsulationContextOnSendRule" -Type DWORD -Value 2 -Force
Restart-Computer

Values: 0 = disabled, 1 = server behind NAT, 2 = both client and server behind NAT

macOS

1. System Preferences > Network > + (Add)
2. Configure:
   • Interface: VPN
   • VPN Type: L2TP over IPSec
   • Service Name: My VPN
3. Settings:
   • Server Address: Your public IP or hostname
   • Account Name: vpnuser
4. Authentication Settings:
   • Password: SecurePass123
   • Machine Authentication: Shared Secret
   • Shared Secret: YourStrongIPsecSecret
5. Click Apply, then Connect

iOS (iPhone/iPad)

1. Settings > General > VPN & Device Management > VPN > Add VPN Configuration
2. Configure:
   • Type: L2TP
   • Description: My VPN
   • Server: Your public IP or hostname
   • Account: vpnuser
   • Password: SecurePass123
   • Secret: YourStrongIPsecSecret
3. Tap Done, then enable the VPN toggle

Android

1. Settings > Network & Internet > VPN > Add VPN
2. Configure:
   • Name: My VPN
   • Type: L2TP/IPSec PSK
   • Server address: Your public IP or hostname
   • L2TP secret: (leave empty)
   • IPSec identifier: (leave empty)
   • IPSec pre-shared key: YourStrongIPsecSecret
   • Username: vpnuser
   • Password: SecurePass123
3. Tap Save, then Connect

Common Scenarios

Scenario: VPN with Access to LAN Only (Split Tunnel)

By default, VPN clients may route all traffic through the VPN. To allow only LAN access:

1. On the VPN client, disable “Use default gateway on remote network” (Windows) or similar option
2. The client will only route traffic to your LAN subnet through the VPN

Scenario: VPN Server Behind NAT

If your MikroTik is behind another router/firewall, forward these ports:

• UDP 500 (IKE)
• UDP 4500 (NAT-T)
• UDP 1701 (L2TP) - may not be needed if IPsec encapsulates it

Important

If the MikroTik is behind NAT, Windows clients need the registry modification mentioned above.

Scenario: Multiple VPN Clients Behind Same NAT

Only one L2TP/IPsec client can connect from behind the same NAT at a time. Each new connection from the same public IP will disconnect the previous client.

Workaround: Use different VPN protocols for multiple users behind the same NAT (e.g., one uses L2TP, another uses SSTP or WireGuard).

Scenario: VPN with Bandwidth Limiting

Apply per-user bandwidth limits:

/ppp profile add name=l2tp-limited local-address=192.168.99.1 \
    remote-address=vpn-pool rate-limit=5M/10M dns-server=8.8.8.8

/ppp secret set [find name=vpnuser] profile=l2tp-limited

Scenario: VPN with Static Routes to Remote Networks

Push routes to VPN clients for accessing specific remote networks:

/ppp secret set [find name=vpnuser] routes="10.10.0.0/24 192.168.99.1"

Troubleshooting

Problem: Windows Client Gets Error 809

Symptom	Likely Cause	Solution
Error 809	NAT blocking IPsec	Add registry key for NAT traversal (see Windows section)
Error 809	Firewall blocking ports	Ensure UDP 500, 4500 are open
Error 809	ISP blocking VPN	Try from different network, or use SSTP instead

Problem: Authentication Failed

Check	Command	Solution
Verify user exists	/ppp secret print	Ensure username/password are correct
Check service type	/ppp secret print detail	Ensure service=l2tp or service=any
Verify IPsec secret	Client configuration	Must match ipsec-secret on server

Problem: Connected but Can’t Ping LAN Devices

Cause	Solution
Firewall blocking forward	Add forward rules for VPN subnet
Wrong subnet/no routing	Use different subnet for VPN, add routes
Windows firewall on target	Allow ICMP on target PC’s Windows firewall
Proxy-arp needed	If using same subnet as LAN, enable proxy-arp on bridge

Recommended approach - use NAT for VPN-to-LAN access:

/ip firewall nat add chain=srcnat src-address=192.168.99.0/24 \
    dst-address=192.168.88.0/24 action=masquerade

Problem: VPN Drops After a Few Minutes

Cause	Solution
NAT timeout	Increase keepalive; check NAT device UDP timeout
DPD (Dead Peer Detection)	Ensure client supports DPD
ISP interference	Some ISPs interfere with VPN traffic

Problem: “Failed to pre-process ph2 packet”

This typically indicates IPsec negotiation issues:

# Enable IPsec debug logging
/system logging add topics=ipsec,debug action=memory

# View logs
/log print where topics~"ipsec"

Common causes:

• Port 1701 being forwarded when it shouldn’t be (L2TP is encapsulated in IPsec)
• Mismatched IPsec proposals between client and server
• Double-NAT issues

Debug Logging

Enable PPP and IPsec debug logging to troubleshoot connection issues:

/system logging add topics=l2tp,ppp,ipsec,debug action=memory
/log print where topics~"l2tp|ipsec"

Common Mistake

Don’t forward port 1701 if using IPsec. L2TP traffic is encapsulated inside IPsec, so the firewall never sees port 1701 directly. Only forward UDP 500 and 4500.

Security Considerations

1. Use strong passwords for both PPP secrets and IPsec pre-shared key
2. Avoid PAP authentication - it sends passwords in cleartext:

   /interface l2tp-server server set authentication=mschap2,mschap1,chap

3. Limit connection attempts to prevent brute-force attacks
4. Consider certificate-based IPsec for higher security (more complex setup)
5. Monitor active connections regularly for unauthorized access
6. Use different VPN subnet than LAN for easier access control

L2TP vs Other VPN Types

Feature	L2TP/IPsec	WireGuard	SSTP	OpenVPN
Native OS support	Yes (all)	Limited	Windows/Linux	No
Setup complexity	Medium	Easy	Medium	Complex
Performance	Good	Excellent	Good	Good
NAT traversal	Requires config	Excellent	Excellent	Good
Blocked by firewalls	Sometimes	Rarely	No (uses HTTPS)	Sometimes
Security	Good	Excellent	Good	Good

Related Topics

Prerequisites

• IP Address Configuration - server interface addressing
• IP Pool - address pool for VPN clients
• Firewall Basics - allow UDP 1701, 500, 4500

Alternative VPN Technologies

• IPsec IKEv2 - site-to-site IPsec without L2TP
• WireGuard VPN - modern, simpler VPN
• PPPoE Server - similar PPP-based technology

Related Topics

• NAT Masquerade - NAT for VPN clients
• User Management - PPP user accounts
• RADIUS - centralized VPN authentication

Reference

Official Documentation

• MikroTik L2TP Documentation
• MikroTik IPsec Documentation
• PPP Profiles

Quick Reference Commands

# L2TP Server
/interface l2tp-server server print       # View server config
/interface l2tp-server server set         # Modify server settings
/interface l2tp-server print              # View active L2TP connections

# PPP Management
/ppp profile print                        # View profiles
/ppp secret print                         # View user accounts
/ppp active print                         # View active sessions
/ppp active remove [find]                 # Disconnect all users

# IPsec Status
/ip ipsec active-peers print              # View IPsec peers
/ip ipsec installed-sa print              # View security associations
/ip ipsec policy print                    # View IPsec policies

# Debugging
/log print where topics~"l2tp|ipsec"      # View VPN-related logs