Mikrotik device as a L2TP/IPSec client

In the previous post we have shown a Mikrotik router as a L2TP/IPSec server. In this scenario, we are using either Windows clients or mobile devices based on Android or Apple iOS operating systems. Here is a new scenario – we may have a need to use another Mikrotik device as the VPN client.

The most common scenario is that you want to connect a remote network with a main network. Using the L2TP/IPSec VPN connection, you will have in the same time the routable tunnel and the full power of IPSec encryption.

We can see the benefits from this combination. Using the routing tunnel means that we can assign the IP address to it and use it as any other network interface. In the other hand, the IPSec part will protect our tunnel with the strong encryption. Furthermore, we need to use a very simple IPSec policies as we are using the IPSec tunnel in the transport mode.

You can find the following tutorials related to the L2TP/IPSec VPN clients on my blog:


Our scenario

In today’s scenario, we will add two more devices in our virtual network.

00 Virtualna laboratorija

These two Mikrotik devices will use the same mechanism as Windows clients in order to connect to the network. In the first step, both Mikrotik routers will establish the PPPoE connection. In the second step, they will use this link to establish the VPN connection to the Contoso router.

The setup procedure depends on the Mikrotik RouterOS version. Therefore, we will show here setup for the one RouterOS 6.36.3 device and one 5.26.


Mikrotik devices with RouterOS v6.x

On Mikrotik devices that runs RouterOS version 6.x, you can set the L2TP/IPSec VPN connection in a minute. Everything can be done in one window or with the single command line.

Click on the PPP menu item. The new window will open. Here are all PPP connection on the device. Click on the button [ + ] and you can see drop-down menu with all available PPP interfaces.


Choose the L2TP client option from the list. The new window will open. You should configure all those options printed in blue and framed in red.


We need to enter the IP address of the VPN server and the credentials for access. We also need to choose the authentication protocol. It’s strongly advised to use these protocols checked on the screenshot.

As the last part, we will check the box near the label Use IPSec and type the IPSec pre-shared key in the field named IPSec Secret.

Click on the button [ Apply ]. Mikrotik will create a new VPN connection, including the IPSec part. In a short while, Mikrotik will update the status of the connection.


Congratulations! You’ve just successfully made the VPN connection.

We can check the IPSec parameters. We will open IP > IPSec and choose the tab named Peers. We have dynamically defined peer with the address of the Contoso router.


Choose the Policies tab and check the dynamic policy for transport mode.


On the Contoso side, the L2TP user is connected.


In the same time, we have an active dynamic IPSec policy.


There is no difference between Mikrotik device and any other kind of the client in the process of connecting.


Mikrotik devices with RouterOS v5.26 and earlier

Our second Mikrotik device uses RouterOS v5.26. On all RouterOS versions up to 5.26, we can set the L2TP/IPSec connection, but we need to make a few more steps.

I will reveal the secret to you. We need to make the IPSec part manually. This is very similar with this scenario when one side is behind the NAT. But you will see.

The first step is the same. Open the PPP menu. We will see the PPP window, where we can choose the drop-down menu with the list of available PPP interfaces. We will again select the L2TP client.


The newly opened window looks familiar, as it’s a very similar to that in RouterOS v6. The difference is that we don’t have the IPSec section.


Fill all necessary fields and click on the button [ Apply ]. Mikrotik will create the new VPN interface and in the short while, we will see the connection status update.


Congratulations again! You’ve successfully made the L2TP tunnel. Alas, we have the tunnel without encryption.

However, the encryption isn’t the problem for us. We knew how to setup the IPSec tunnel. Therefore, we will configure it in a minute. In addition, don’t forget to write down all necessary parameters. The best way is to fill one document about your IPSec configuration.

We need to define the IPSec peer. The biggest change here is that the mode of IPSec operation is main l2tp.


The next step is the IPSec policy. We need to make it manually, too. This is the transport mode. Therefore, the source address will be the same as the SA source address.


On the Action tab we must enter the same IPs as on the General tab. In addition, we need to leave the checkbox Tunnel unchecked.


Please, pay attention that you will use the Default proposal here. You should check it’s settings, as there can be differences between older and newer settings. The newer versions by default use the SHA1 authentication algorithm, while older versions use 3DES.


We will switch to the Installed SAs tab and we can see that tunnel is established.


We will check again the Contoso side. Our new router is connected using IPSec protocol.


The main difference is that this tunnel is not limited only to the port 1701 UDP, used for the L2TP tunneling. If you like, you can specify the port number on the General tab on the client router. Then our IPSec tunnel will protect only the L2TP traffic.

We can also see the SAs for this connection on the Installed SAs tab. We left the default IPSec proposal settings on the client side and the encryption algorithm is ancient 3DES.



A few words on the network ports

In the end of this article, we will make a short analysis of the network ports used for these network connections. Therefore, we will open IP > Firewall and select the Connections tab.

33 - Firewall connections


Every client connection consists of three connections – three connections make one tunnel.

I will not going too deep in the explanation of the TCP/IP protocols. In short, TCP/IP is a suite of the protocols. Every protocol has its number. Two well-known protocols, TCP and IP, have numbers 6 and 17 respectively.

We need the UDP protocol for the L2TP tunnel. This connection will use the port 1701 for communication. Furthermore, both sides use the same port number.

Then we need the UDP protocol and port 500 to establish the first IPSec phase. This is the second communication channel. Again, both sides use the same port number. Alternatively, if the IPSec traffic passing through the NAT device, we can see the UDP port 4500.

And the third channel of communication is between devices exchanging the IPSec traffic. In our case, those devices are routers themselves. Unrelated to the IPSec tunnel mode, this third channel will use one of two specific protocols.

The IPSec tunnel can use either the ESP protocol (number 50) or AH protocol (number 51). In most cases we will use the ESP protocols, as we can encrypt the payload.

On our screenshot, we can see that a L2TP channel, an IPSec phase I channel and an IPSec ESP channel together form a single L2TP/IPSec connection.

When you have a problem to establish a L2TP/IPSec connection, the first step is to check again the VPN settings and the second to check the Firewall settings. Check that these ports and protocols are allowed to input into the device. In case that they are not explicitly enabled in the firewall rules, your router will block them.

We have a theme for another article – Mikrotik Firewall.

Stay tuned.


7 thoughts on “Mikrotik device as a L2TP/IPSec client

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.