Skip to content
MikroTik RouterOS Docs

L2TP VPN Server Configuration

L2TP VPN Server Configuration

Section titled “L2TP VPN Server Configuration”

TL;DR (Quick Start)

Section titled “TL;DR (Quick Start)”

L2TP/IPsec VPN Server (for Windows, macOS, iOS, Android clients):

# Create IP pool for VPN clients
/ip pool add name=vpn-pool ranges=192.168.99.2-192.168.99.50


# Create PPP profile
/ppp profile add name=l2tp-profile local-address=192.168.99.1 \
    remote-address=vpn-pool dns-server=8.8.8.8


# Create user credentials
/ppp secret add name=vpnuser password=SecurePass123 service=l2tp profile=l2tp-profile


# Enable L2TP server with IPsec
/interface l2tp-server server set enabled=yes use-ipsec=required \
    ipsec-secret=YourIPsecSecret default-profile=l2tp-profile


# Add firewall rules (before drop rules)
/ip firewall filter add chain=input protocol=udp dst-port=500,4500,1701 action=accept \
    comment="Allow L2TP/IPsec VPN" place-before=0
/ip firewall filter add chain=input protocol=ipsec-esp action=accept \
    comment="Allow IPsec ESP" place-before=1

Overview

Section titled “Overview”
Overview diagram

What this covers: L2TP/IPsec VPN server configuration for remote access (“road warrior”) scenarios where clients connect from Windows, macOS, iOS, or Android devices.

When to use L2TP/IPsec:

  • Remote workers accessing office resources
  • Secure access to home network while traveling
  • Alternative to PPTP (which is deprecated and insecure)
  • When clients don’t support WireGuard or need native OS VPN

Why L2TP with IPsec:

  • L2TP alone provides no encryption - it’s just a tunneling protocol
  • IPsec provides encryption and authentication
  • Combined L2TP/IPsec is supported natively by Windows, macOS, iOS, and Android
  • Uses pre-shared key (PSK) authentication for simplicity

Prerequisites:

  • MikroTik router running RouterOS 7.x or later
  • Public IP address (or properly forwarded ports if behind NAT)
  • Understanding of IP addressing and firewall rules

Configuration Steps

Section titled “Configuration Steps”
Configuration Steps diagram

Step 1: Create an IP Pool for VPN Clients

Section titled “Step 1: Create an IP Pool for VPN Clients”

VPN clients need IP addresses from a dedicated subnet, separate from your LAN:

/ip pool add name=vpn-pool ranges=192.168.99.2-192.168.99.50

This pool provides 49 addresses for simultaneous VPN connections.

Subnet Selection

Use a different subnet for VPN clients than your LAN. Using the same subnet requires proxy-arp and causes complications. A separate subnet with proper routing is the recommended approach.

Step 2: Create a PPP Profile

Section titled “Step 2: Create a PPP Profile”

The profile defines settings applied to all L2TP connections:

/ppp profile add \
    name=l2tp-profile \
    local-address=192.168.99.1 \
    remote-address=vpn-pool \
    dns-server=8.8.8.8,8.8.4.4 \
    change-tcp-mss=yes

Parameter explanation:

ParameterPurpose
local-addressGateway IP for VPN tunnel (router’s address)
remote-addressPool name or specific IP for clients
dns-serverDNS servers pushed to VPN clients
change-tcp-mssAdjust MSS to prevent fragmentation issues

Step 3: Create User Credentials

Section titled “Step 3: Create User Credentials”

Add users who can connect to the VPN:

/ppp secret add \
    name=vpnuser \
    password=SecurePass123 \
    service=l2tp \
    profile=l2tp-profile

For multiple users:

/ppp secret add name=john password=JohnSecure456 service=l2tp profile=l2tp-profile
/ppp secret add name=jane password=JaneSecure789 service=l2tp profile=l2tp-profile

Optional: Assign static IP to specific user:

/ppp secret add name=admin password=AdminPass service=l2tp profile=l2tp-profile \
    remote-address=192.168.99.100

Step 4: Enable the L2TP Server with IPsec

Section titled “Step 4: Enable the L2TP Server with IPsec”

Enable the L2TP server and require IPsec encryption:

/interface l2tp-server server set \
    enabled=yes \
    use-ipsec=required \
    ipsec-secret=YourStrongIPsecSecret \
    default-profile=l2tp-profile \
    authentication=mschap2,mschap1,chap

Parameter explanation:

ParameterPurpose
enabledTurn on the L2TP server
use-ipsecrequired = only accept encrypted connections
ipsec-secretPre-shared key for IPsec (all clients use this)
default-profilePPP profile for connections
authenticationAllowed auth methods (avoid PAP for security)

Step 5: Configure Firewall Rules

Section titled “Step 5: Configure Firewall Rules”
Step 5: Configure Firewall Rules diagram

Allow VPN traffic through the firewall. These rules must be placed before any drop rules:

# Allow IKE (IPsec key exchange)
/ip firewall filter add chain=input protocol=udp dst-port=500 action=accept \
    comment="Allow IKE for L2TP/IPsec" place-before=0


# Allow NAT-Traversal (IPsec through NAT)
/ip firewall filter add chain=input protocol=udp dst-port=4500 action=accept \
    comment="Allow NAT-T for L2TP/IPsec" place-before=1


# Allow L2TP (only needed if not using IPsec transport)
/ip firewall filter add chain=input protocol=udp dst-port=1701 action=accept \
    comment="Allow L2TP" place-before=2


# Allow IPsec ESP protocol
/ip firewall filter add chain=input protocol=ipsec-esp action=accept \
    comment="Allow IPsec ESP" place-before=3

Alternative: Single combined rule:

/ip firewall filter add chain=input protocol=udp dst-port=500,4500,1701 action=accept \
    comment="Allow L2TP/IPsec VPN"
/ip firewall filter add chain=input protocol=ipsec-esp action=accept \
    comment="Allow IPsec ESP"

Step 6: Allow VPN Clients to Access LAN

Section titled “Step 6: Allow VPN Clients to Access LAN”

Add a forward rule to allow traffic from VPN clients to your LAN:

/ip firewall filter add chain=forward src-address=192.168.99.0/24 action=accept \
    comment="Allow VPN clients to LAN" place-before=0
/ip firewall filter add chain=forward dst-address=192.168.99.0/24 action=accept \
    comment="Allow LAN to VPN clients" place-before=1

Step 7: Configure NAT (If VPN Clients Need Internet)

Section titled “Step 7: Configure NAT (If VPN Clients Need Internet)”

If VPN clients should access the internet through the VPN:

/ip firewall nat add chain=srcnat src-address=192.168.99.0/24 \
    out-interface-list=WAN action=masquerade comment="NAT for VPN clients"

Verification

Section titled “Verification”

Check L2TP Server Status

Section titled “Check L2TP Server Status”
/interface l2tp-server server print

Expected Output:

                   enabled: yes
                max-mtu: 1450
               max-mru: 1450
                  mrru: disabled
        authentication: pap,chap,mschap1,mschap2
       default-profile: l2tp-profile
            keepalive-timeout: 30
            allow-fast-path: no
              use-ipsec: required
           ipsec-secret: YourStrongIPsecSecret

View Active VPN Connections

Section titled “View Active VPN Connections”
/interface l2tp-server print

Expected Output (when clients connected):

Flags: D - dynamic, R - running
  #    NAME             USER      MTU  CLIENT-ADDRESS   UPTIME
 0 DR <l2tp-vpnuser>   vpnuser   1450 203.0.113.45     1h23m

View PPP Active Sessions

Section titled “View PPP Active Sessions”
/ppp active print

Check IPsec Status

Section titled “Check IPsec Status”
/ip ipsec active-peers print

Expected Output:

Flags: R - responder, N - natt-peer
  #    ID             STATE  UPTIME
  0 RN 203.0.113.45   established 1h23m

Test Connectivity from VPN Client

Section titled “Test Connectivity from VPN Client”

After connecting, verify the client received an IP:

/ppp active print detail

Client Configuration

Section titled “Client Configuration”

Windows 10/11

Section titled “Windows 10/11”
  1. Settings > Network & Internet > VPN > Add a VPN connection
  2. Configure:
    • VPN provider: Windows (built-in)
    • Connection name: My VPN
    • Server name or address: Your public IP or hostname
    • VPN type: L2TP/IPsec with pre-shared key
    • Pre-shared key: YourStrongIPsecSecret
    • Username: vpnuser
    • Password: SecurePass123
  3. Click Save, then Connect

Windows Behind NAT

If the Windows client is behind NAT (home router, corporate firewall), you may need to add a registry key:

PowerShell (Run as Administrator):

Terminal window
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent" `
    -Name "AssumeUDPEncapsulationContextOnSendRule" -Type DWORD -Value 2 -Force
Restart-Computer

Values: 0 = disabled, 1 = server behind NAT, 2 = both client and server behind NAT

macOS

Section titled “macOS”
  1. System Preferences > Network > + (Add)
  2. Configure:
    • Interface: VPN
    • VPN Type: L2TP over IPSec
    • Service Name: My VPN
  3. Settings:
    • Server Address: Your public IP or hostname
    • Account Name: vpnuser
  4. Authentication Settings:
    • Password: SecurePass123
    • Machine Authentication: Shared Secret
    • Shared Secret: YourStrongIPsecSecret
  5. Click Apply, then Connect

iOS (iPhone/iPad)

Section titled “iOS (iPhone/iPad)”
  1. Settings > General > VPN & Device Management > VPN > Add VPN Configuration
  2. Configure:
    • Type: L2TP
    • Description: My VPN
    • Server: Your public IP or hostname
    • Account: vpnuser
    • Password: SecurePass123
    • Secret: YourStrongIPsecSecret
  3. Tap Done, then enable the VPN toggle

Android

Section titled “Android”
  1. Settings > Network & Internet > VPN > Add VPN
  2. Configure:
    • Name: My VPN
    • Type: L2TP/IPSec PSK
    • Server address: Your public IP or hostname
    • L2TP secret: (leave empty)
    • IPSec identifier: (leave empty)
    • IPSec pre-shared key: YourStrongIPsecSecret
    • Username: vpnuser
    • Password: SecurePass123
  3. Tap Save, then Connect

Common Scenarios

Section titled “Common Scenarios”

Scenario: VPN with Access to LAN Only (Split Tunnel)

Section titled “Scenario: VPN with Access to LAN Only (Split Tunnel)”

By default, VPN clients may route all traffic through the VPN. To allow only LAN access:

  1. On the VPN client, disable “Use default gateway on remote network” (Windows) or similar option
  2. The client will only route traffic to your LAN subnet through the VPN

Scenario: VPN Server Behind NAT

Section titled “Scenario: VPN Server Behind NAT”

If your MikroTik is behind another router/firewall, forward these ports:

  • UDP 500 (IKE)
  • UDP 4500 (NAT-T)
  • UDP 1701 (L2TP) - may not be needed if IPsec encapsulates it

Important

If the MikroTik is behind NAT, Windows clients need the registry modification mentioned above.

Scenario: Multiple VPN Clients Behind Same NAT

Section titled “Scenario: Multiple VPN Clients Behind Same NAT”

Only one L2TP/IPsec client can connect from behind the same NAT at a time. Each new connection from the same public IP will disconnect the previous client.

Workaround: Use different VPN protocols for multiple users behind the same NAT (e.g., one uses L2TP, another uses SSTP or WireGuard).

Scenario: VPN with Bandwidth Limiting

Section titled “Scenario: VPN with Bandwidth Limiting”

Apply per-user bandwidth limits:

/ppp profile add name=l2tp-limited local-address=192.168.99.1 \
    remote-address=vpn-pool rate-limit=5M/10M dns-server=8.8.8.8


/ppp secret set [find name=vpnuser] profile=l2tp-limited

Scenario: VPN with Static Routes to Remote Networks

Section titled “Scenario: VPN with Static Routes to Remote Networks”

Push routes to VPN clients for accessing specific remote networks:

/ppp secret set [find name=vpnuser] routes="10.10.0.0/24 192.168.99.1"

Troubleshooting

Section titled “Troubleshooting”

Problem: Windows Client Gets Error 809

Section titled “Problem: Windows Client Gets Error 809”
SymptomLikely CauseSolution
Error 809NAT blocking IPsecAdd registry key for NAT traversal (see Windows section)
Error 809Firewall blocking portsEnsure UDP 500, 4500 are open
Error 809ISP blocking VPNTry from different network, or use SSTP instead

Problem: Authentication Failed

Section titled “Problem: Authentication Failed”
CheckCommandSolution
Verify user exists/ppp secret printEnsure username/password are correct
Check service type/ppp secret print detailEnsure service=l2tp or service=any
Verify IPsec secretClient configurationMust match ipsec-secret on server

Problem: Connected but Can’t Ping LAN Devices

Section titled “Problem: Connected but Can’t Ping LAN Devices”
CauseSolution
Firewall blocking forwardAdd forward rules for VPN subnet
Wrong subnet/no routingUse different subnet for VPN, add routes
Windows firewall on targetAllow ICMP on target PC’s Windows firewall
Proxy-arp neededIf using same subnet as LAN, enable proxy-arp on bridge

Recommended approach - use NAT for VPN-to-LAN access:

/ip firewall nat add chain=srcnat src-address=192.168.99.0/24 \
    dst-address=192.168.88.0/24 action=masquerade

Problem: VPN Drops After a Few Minutes

Section titled “Problem: VPN Drops After a Few Minutes”
CauseSolution
NAT timeoutIncrease keepalive; check NAT device UDP timeout
DPD (Dead Peer Detection)Ensure client supports DPD
ISP interferenceSome ISPs interfere with VPN traffic

Problem: “Failed to pre-process ph2 packet”

Section titled “Problem: “Failed to pre-process ph2 packet””

This typically indicates IPsec negotiation issues:

# Enable IPsec debug logging
/system logging add topics=ipsec,debug action=memory


# View logs
/log print where topics~"ipsec"

Common causes:

  • Port 1701 being forwarded when it shouldn’t be (L2TP is encapsulated in IPsec)
  • Mismatched IPsec proposals between client and server
  • Double-NAT issues

Common Mistake

Don’t forward port 1701 if using IPsec. L2TP traffic is encapsulated inside IPsec, so the firewall never sees port 1701 directly. Only forward UDP 500 and 4500.

Security Considerations

Section titled “Security Considerations”
  1. Use strong passwords for both PPP secrets and IPsec pre-shared key
  2. Avoid PAP authentication - it sends passwords in cleartext: 
    /interface l2tp-server server set authentication=mschap2,mschap1,chap
  3. Limit connection attempts to prevent brute-force attacks
  4. Consider certificate-based IPsec for higher security (more complex setup)
  5. Monitor active connections regularly for unauthorized access
  6. Use different VPN subnet than LAN for easier access control

L2TP vs Other VPN Types

Section titled “L2TP vs Other VPN Types”
FeatureL2TP/IPsecWireGuardSSTPOpenVPN
Native OS supportYes (all)LimitedWindows/LinuxNo
Setup complexityMediumEasyMediumComplex
PerformanceGoodExcellentGoodGood
NAT traversalRequires configExcellentExcellentGood
Blocked by firewallsSometimesRarelyNo (uses HTTPS)Sometimes
SecurityGoodExcellentGoodGood
Section titled “Related Topics”

Prerequisites

Section titled “Prerequisites”

Alternative VPN Technologies

Section titled “Alternative VPN Technologies”
Section titled “Related Topics”

Reference

Section titled “Reference”

Official Documentation

Section titled “Official Documentation”

Quick Reference Commands

Section titled “Quick Reference Commands”
# L2TP Server
/interface l2tp-server server print       # View server config
/interface l2tp-server server set         # Modify server settings
/interface l2tp-server print              # View active L2TP connections


# PPP Management
/ppp profile print                        # View profiles
/ppp secret print                         # View user accounts
/ppp active print                         # View active sessions
/ppp active remove [find]                 # Disconnect all users


# IPsec Status
/ip ipsec active-peers print              # View IPsec peers
/ip ipsec installed-sa print              # View security associations
/ip ipsec policy print                    # View IPsec policies


# Debugging
/log print where topics~"l2tp|ipsec"      # View VPN-related logs