Mikrotik L2tp Server | Setup Full

Enable the L2TP server. By default, it uses port 1701. We'll tell it to use our new pool and allow MPLS and encryption.

/interface l2tp-server server set enabled=yes default-profile=default-encryption use-ipsec=required max-mtu=1400 max-mru=1400

Pro Tip: Setting use-ipsec=required forces clients to negotiate IPsec. No insecure L2TP-only connections allowed.

View real-time logs:

/log print follow where topics~"ipsec|l2tp"

By default, RouterOS uses weaker IPsec algorithms. For modern security, enforce strong ciphers. mikrotik l2tp server setup full

CLI:

/ip ipsec proposal set [find default] name=default \
  auth-algorithms=sha256 \
  enc-algorithms=aes-256-cbc \
  lifetime=8h \
  pfs-group=modp2048

To verify:

/ip ipsec proposal print

WinBox:

Note: Older clients (e.g., Windows 7 without updates) may fail with SHA256. If needed, add sha1 as a secondary option, but understand this reduces security.

/queue simple add name=vpn-limit target=192.168.100.0/24 max-limit=10M/10M

/ip firewall filter add chain=input protocol=udp dst-port=500,4500 src-address-list=bruteforce-ipsec action=drop comment="Drop IPSec bruteforce"
/ip firewall filter add chain=input protocol=udp dst-port=500,4500 connection-limit=10,32 action=add-src-to-address-list address-list=bruteforce-ipsec address-list-timeout=1h

The profile defines how clients are treated after authentication—IP assignment, DNS, and routing.

CLI:

/ppp profile set default-l2tp-profile \
  local-address=192.168.100.1 \
  remote-address=l2tp-pool \
  dns-server=8.8.8.8,1.1.1.1 \
  use-encryption=yes \
  change-tcp-mss=yes \
  only-one=yes

WinBox:

Explanation of key fields:

Registry fix for Windows (if behind NAT):
Set AssumeUDPEncapsulationContextOnSendRule = 2 to enable NAT-T.
(Google for exact reg path; common issue.) Enable the L2TP server

/ip firewall filter add chain=forward src-address=192.168.100.0/24 dst-address=192.168.1.0/24 action=accept comment="VPN->LAN" /ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.100.0/24 action=accept comment="LAN->VPN"

With the IP addressing sorted, the next step is to enable the L2TP service.

Scroll to Top