L2TP/IPsec
L2TP/IPsec
Section titled “L2TP/IPsec”L2TP (Layer 2 Tunneling Protocol) is a widely supported remote-access VPN protocol built into RouterOS. Because L2TP provides no encryption on its own, it is always paired with IPsec to protect the tunnel. The combination — L2TP/IPsec — is natively supported by Windows, macOS, iOS, and Android without additional client software.
RouterOS handles L2TP/IPsec in two layers:
- L2TP layer — manages the tunnel and PPP session (
/interface l2tp-server,/ppp profile,/ppp secret) - IPsec layer — encrypts all L2TP traffic (
/ip ipsec profile,/ip ipsec proposal,/ip ipsec peer,/ip ipsec identity)
When use-ipsec=require is set on the L2TP server, RouterOS automatically generates the required IPsec peer, identity, and policy entries. Manual IPsec object creation is only needed for advanced topologies.
Prerequisites
Section titled “Prerequisites”- RouterOS 7.x
- A public IP address (or port-forwarded UDP 500, UDP 4500, and ESP from upstream NAT)
- Firewall input rules that permit IKE and ESP traffic
Quick Setup: PSK Authentication
Section titled “Quick Setup: PSK Authentication”This is the recommended starting point. A pre-shared key (PSK) authenticates the IPsec phase while MSCHAPv2 authenticates the PPP user.
Step 1 — Create an IP Pool for VPN Clients
Section titled “Step 1 — Create an IP Pool for VPN Clients”/ip pool add name=l2tp-pool ranges=10.10.10.2-10.10.10.254Step 2 — Create a PPP Profile
Section titled “Step 2 — Create a PPP Profile”/ppp profile add \ name=l2tp-profile \ local-address=10.10.10.1 \ remote-address=l2tp-pool \ use-encryption=yes \ dns-server=8.8.8.8,8.8.4.4local-address is the router’s tunnel-side IP. remote-address assigns IPs from the pool to connecting clients.
Step 3 — Enable the L2TP Server
Section titled “Step 3 — Enable the L2TP Server”/interface l2tp-server server set \ enabled=yes \ default-profile=l2tp-profile \ authentication=mschap2 \ use-ipsec=require \ ipsec-secret=YourStrongPSK| Parameter | Description |
|---|---|
use-ipsec=require | Reject plain L2TP; require IPsec encryption |
use-ipsec=yes | Allow both encrypted and unencrypted (not recommended) |
ipsec-secret | Pre-shared key negotiated during IKE phase 1 |
authentication | PPP auth methods; mschap2 is the most compatible |
Step 4 — Add PPP Users
Section titled “Step 4 — Add PPP Users”/ppp secret add \ name=vpnuser \ password=StrongUserPass \ service=l2tp \ profile=l2tp-profileAdd one entry per user. The service=l2tp restriction prevents the credential from being used on other PPP interfaces.
Step 5 — Open the Firewall
Section titled “Step 5 — Open the Firewall”These rules must appear before any drop rules in the input chain:
/ip firewall filteradd chain=input action=accept protocol=udp dst-port=500,4500 \ in-interface-list=WAN comment="L2TP/IPsec IKE and NAT-T"add chain=input action=accept protocol=ipsec-esp \ in-interface-list=WAN comment="L2TP/IPsec ESP"add chain=input action=accept protocol=udp dst-port=1701 \ in-interface-list=WAN comment="L2TP (only needed without IPsec)"Note: When IPsec is required, L2TP port 1701 traffic arrives encapsulated inside ESP and does not need a separate filter rule. The ESP rule alone is sufficient in most deployments.
Advanced Setup: Explicit IPsec Objects
Section titled “Advanced Setup: Explicit IPsec Objects”RouterOS auto-generates IPsec objects when use-ipsec is set, but you can override defaults by creating named objects manually. This is useful for tuning cipher suites or supporting multiple client types.
IPsec Profile (Phase 1)
Section titled “IPsec Profile (Phase 1)”/ip ipsec profile add \ name=l2tp-prof \ hash-algorithm=sha256 \ enc-algorithm=aes-256,aes-128 \ dh-group=modp2048 \ nat-traversal=yes \ dpd-interval=2m \ dpd-maximum-failures=5IPsec Peer
Section titled “IPsec Peer”/ip ipsec peer add \ name=l2tp-peer \ address=0.0.0.0/0 \ passive=yes \ exchange-mode=main-l2tp \ profile=l2tp-profaddress=0.0.0.0/0 accepts connections from any IP. passive=yes means the router waits for incoming IKE initiation. exchange-mode=main-l2tp is required for L2TP clients.
IPsec Proposal (Phase 2)
Section titled “IPsec Proposal (Phase 2)”/ip ipsec proposal add \ name=l2tp-prop \ auth-algorithms=sha256 \ enc-algorithms=aes-256-cbc,aes-128-cbc \ pfs-group=none
pfs-group=noneis required for L2TP/IPsec compatibility with Windows and iOS native clients.
IPsec Identity (PSK)
Section titled “IPsec Identity (PSK)”/ip ipsec identity add \ peer=l2tp-peer \ auth-method=pre-shared-key \ secret=YourStrongPSKCertificate-Based Authentication
Section titled “Certificate-Based Authentication”Certificate authentication replaces the PSK for IKE phase 1, while PPP (MSCHAPv2) still authenticates the user. This approach is more secure and avoids PSK distribution problems.
Import Certificates
Section titled “Import Certificates”# Import CA certificate/certificate import file-name=ca.crt passphrase=""
# Import server certificate and key/certificate import file-name=server.crt passphrase=""/certificate import file-name=server.key passphrase=""Configure L2TP Server
Section titled “Configure L2TP Server”/interface l2tp-server server set \ enabled=yes \ default-profile=l2tp-profile \ authentication=mschap2 \ use-ipsec=requireNo ipsec-secret is needed; the certificate provides authentication.
IPsec Objects for Certificate Auth
Section titled “IPsec Objects for Certificate Auth”/ip ipsec profile add \ name=l2tp-prof-cert \ hash-algorithm=sha256 \ enc-algorithm=aes-256,aes-128 \ dh-group=modp2048 \ nat-traversal=yes
/ip ipsec peer add \ name=l2tp-peer-cert \ address=0.0.0.0/0 \ passive=yes \ exchange-mode=main-l2tp \ profile=l2tp-prof-cert
/ip ipsec identity add \ peer=l2tp-peer-cert \ auth-method=digital-signature \ certificate=server-cert \ remote-certificate=client-cert \ match-by=certificateClient Configuration
Section titled “Client Configuration”Windows 10/11
Section titled “Windows 10/11”- Open Settings → Network & Internet → VPN → Add a VPN connection
- Set VPN provider to
Windows (built-in) - Enter the router’s public IP or hostname in Server name or address
- Set VPN type to
L2TP/IPsec with pre-shared key - Enter the
ipsec-secretvalue in Pre-shared key - Enter the PPP username and password
- Click Save, then Connect
If Windows drops the connection immediately after auth: In older Windows versions, a registry change may be required to allow L2TP/IPsec through NAT. Open regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent, and add a DWORD value AssumeUDPEncapsulationContextOnSendRule set to 2. Reboot and reconnect.
The UI path varies between macOS versions:
- macOS Ventura (13) and later: System Settings → VPN
- macOS Monterey (12) and earlier: System Preferences → Network
macOS Ventura / Sonoma (13+):
- Open System Settings → VPN → Add VPN Configuration → L2TP over IPSec
- Enter a name in Display Name
- Enter the router’s public IP or hostname in Server Address
- Enter the PPP username in Account Name
- Click Authentication Settings:
- Under User Authentication, select Password and enter the PPP password
- Under Machine Authentication, select Shared Secret and enter the
ipsec-secretvalue
- Click OK, then toggle the VPN to connect
macOS Monterey and earlier:
- Open System Preferences → Network, click + to add a new interface
- Set Interface to
VPN, VPN Type toL2TP over IPSec, enter a Service Name, and click Create - Enter the router’s public IP or hostname in Server Address
- Enter the PPP username in Account Name
- Click Authentication Settings:
- Under User Authentication, select Password and enter the PPP password
- Under Machine Authentication, select Shared Secret and enter the
ipsec-secretvalue
- Click OK, then Apply, then Connect
macOS deprecation note: Apple has progressively reduced built-in VPN protocol support. On macOS Sequoia (15) and later, L2TP/IPsec may be unavailable as a built-in option. If the L2TP type is missing, switch to IKEv2 or use a third-party VPN client.
Send all traffic over VPN: To route all client traffic through the tunnel, click Advanced (Monterey/earlier) or expand the VPN settings (Ventura+) and enable Send all traffic over VPN connection.
iOS / iPadOS
Section titled “iOS / iPadOS”- Open Settings → General → VPN & Device Management → VPN → Add VPN Configuration
- Set Type to
L2TP - Enter the router’s public IP or hostname in Server
- Enter the PPP username in Account and password in Password
- Enter the
ipsec-secretvalue in Secret - Tap Done, then toggle the VPN switch to connect
Android
Section titled “Android”Menu paths vary by manufacturer and Android version; the steps below apply to stock Android:
- Open Settings → Network & internet → VPN → Add VPN (or tap the
+icon) - Set Type to
L2TP/IPSec PSK - Enter the router’s public IP or hostname in Server address
- Enter the
ipsec-secretvalue in IPSec pre-shared key - Enter the PPP username and password
- Tap Save, then tap the VPN profile to connect
Some Android 12+ devices have removed the built-in L2TP/IPsec client. In that case, use a third-party app such as strongSwan (with L2TP support) or switch to IKEv2/IPsec.
RouterOS as L2TP/IPsec Client
Section titled “RouterOS as L2TP/IPsec Client”A MikroTik router can connect to any L2TP/IPsec server — including another RouterOS device — using /interface l2tp-client.
Basic Client Setup
Section titled “Basic Client Setup”/interface l2tp-client add \ name=l2tp-out1 \ connect-to=vpn.example.com \ user=vpnuser \ password=StrongUserPass \ profile=default-encryption \ use-ipsec=yes \ ipsec-secret=YourStrongPSK \ add-default-route=yes \ default-route-distance=1 \ disabled=no| Parameter | Description |
|---|---|
connect-to | Server IP address or hostname |
use-ipsec=yes | Enable IPsec encryption; required rejects unencrypted connections |
ipsec-secret | Pre-shared key matching the server’s ipsec-secret |
add-default-route=yes | Automatically install a default route through the tunnel |
default-route-distance | Route distance; lower values take precedence over existing routes |
Manual Default Route (Alternative)
Section titled “Manual Default Route (Alternative)”If you prefer not to use add-default-route, add a route explicitly after the tunnel comes up:
/ip route add dst-address=0.0.0.0/0 gateway=l2tp-out1 distance=1NAT Bypass for IPsec
Section titled “NAT Bypass for IPsec”If the client router also performs NAT/masquerade, add an IPsec bypass rule before the masquerade rule to prevent RouterOS from NAT-ing IPsec-protected traffic:
/ip firewall natadd chain=srcnat action=accept ipsec-policy=out,ipsec \ comment="NAT bypass for IPsec"add chain=srcnat action=masquerade out-interface-list=WAN \ comment="Default WAN masquerade"Without this bypass, IPsec encapsulation may fail because NAT rewrites source addresses after IPsec processes the packet.
Verify the Client Connection
Section titled “Verify the Client Connection”# Check that the L2TP interface is running/interface l2tp-client print
# Check the PPP session/ppp active print
# Check IPsec security associations/ip ipsec sa printNAT-T (Router or Client Behind NAT)
Section titled “NAT-T (Router or Client Behind NAT)”When either the server or client is behind NAT, IPsec switches from ESP (protocol 50) to UDP port 4500 encapsulation automatically. This is called NAT Traversal (NAT-T).
RouterOS enables NAT-T by default (nat-traversal=yes in the IPsec profile). No manual configuration is required on the router side. Ensure:
- UDP 4500 is open in the firewall input chain (see Step 5 above)
- If the router itself is behind NAT, the upstream device must forward UDP 500, UDP 4500, and ESP protocol 50 to the router
If both ends are behind NAT, ESP encapsulation in UDP 4500 handles the traversal correctly on both sides.
RADIUS Authentication
Section titled “RADIUS Authentication”L2TP integrates with RADIUS for centralised user authentication and accounting. RouterOS acts as a RADIUS client; an external RADIUS server (FreeRADIUS, Windows NPS, etc.) validates credentials and can supply per-user attributes such as IP address, rate limits, and session timeouts.
Step 1 — Add the RADIUS Server
Section titled “Step 1 — Add the RADIUS Server”/radius add \ service=ppp \ address=10.0.0.3 \ secret=RadiusSharedSecret \ authentication-port=1812 \ accounting-port=1813service=ppp covers all PPP-family services, including L2TP.
Step 2 — Enable RADIUS in PPP AAA
Section titled “Step 2 — Enable RADIUS in PPP AAA”/ppp aaa set \ use-radius=yes \ accounting=yes \ interim-update=5mWhen use-radius=yes, RouterOS forwards each PPP authentication request to the RADIUS server. If RADIUS is unreachable, it falls back to local /ppp secret entries.
Step 3 — Verify
Section titled “Step 3 — Verify”# Check RADIUS client status and counters/radius print/radius monitor 0
# Watch authentication events in log/log print follow where message~"radius|l2tp|ppp"
# Check active VPN sessions/ppp active printRADIUS Attributes
Section titled “RADIUS Attributes”RouterOS supports standard RADIUS attributes for PPP sessions:
| Attribute | Use |
|---|---|
Framed-IP-Address | Assign a fixed IP to the client instead of using the pool |
Session-Timeout | Maximum session duration in seconds |
Idle-Timeout | Disconnect after this many seconds of inactivity |
Mikrotik-Rate-Limit | Per-client upload/download rate limit (e.g. 10M/10M) |
Verification
Section titled “Verification”# Check active IPsec security associations/ip ipsec sa print
# Check installed IPsec policies/ip ipsec policy print
# Check active IPsec peers/ip ipsec peer print
# Check active PPP sessions/ppp active print
# View L2TP-specific log entries/log print where message~"l2tp"
# View IPsec log entries/log print where message~"ipsec"Troubleshooting
Section titled “Troubleshooting”No connection established — no log entries
Section titled “No connection established — no log entries”The IPsec handshake never starts. Check:
- UDP 500 and UDP 4500 are open in the router firewall input chain
- If behind upstream NAT, port forwarding for UDP 500, UDP 4500, and ESP is in place
- The client is using the correct server IP or hostname
no matching proposal found
Section titled “no matching proposal found”Phase 1 cipher mismatch between the client and router. Fix:
/ip ipsec profile set [find] enc-algorithm=aes-256,aes-128,3des \ hash-algorithm=sha256,sha1 dh-group=modp2048,modp1536,modp1024Adding weaker algorithms (sha1, modp1024, 3des) increases compatibility with older clients. Remove them again once the connection works if you want to enforce stronger ciphers.
failed to pre-process ph2 packet
Section titled “failed to pre-process ph2 packet”Phase 2 proposal mismatch. Verify:
pfs-group=noneis set on the proposal (required for most clients)- Encryption and auth algorithms in the proposal match what the client offers
authentication failed (PSK)
Section titled “authentication failed (PSK)”The pre-shared key on the client does not match ipsec-secret on the router. Re-enter both carefully — they are case-sensitive.
authentication failed (PPP)
Section titled “authentication failed (PPP)”The PPP username or password is wrong, or the user’s service is not l2tp. Verify:
/ppp secret print where name=vpnuserPhase 1 succeeds but L2TP session fails
Section titled “Phase 1 succeeds but L2TP session fails”IPsec is up but PPP fails. Check:
- The PPP profile
local-addressandremote-addresspool are correct - There are available IPs in the pool (
/ip pool print) - Authentication method matches (
mschap2on both server and client)
Flush stale IPsec SAs
Section titled “Flush stale IPsec SAs”If a previous session left stale security associations:
/ip ipsec sa flushEnable verbose logging
Section titled “Enable verbose logging”/system logging add topics=ipsec,!debug action=memory/system logging add topics=l2tp,!debug action=memory/log print follow where topics~"ipsec|l2tp"Remove the extra logging rules after debugging:
/system logging remove [find topics~"ipsec"]/system logging remove [find topics~"l2tp"]