Site icon System Zone

MikroTik Site to Site VPN with L2TP/IPsec

VPN (Virtual Private Network) is a technology that provides a secure and encrypted tunnel across a public network. A private network user can send and receive data to any remote private network using this VPN Tunnel as if his/her network device was directly connected to that private network.

MikroTik L2TP server is one of the most popular VPN services. It provides a secure and encrypted tunnel across public network for transporting IP traffic using PPP. L2TP/IPsec is more secure than MikroTik PPTP VPN server because it uses IP security protocol suite that authenticates and encrypts the packets of data send over a network. MikroTik L2TP Server can be applied in two methods.

The goal of this article is to establish a secure and encrypted virtual link between two routers using L2TP Tunnel across public network. So, in this article I will show how to configure L2TP/IPsec VPN Server and Client in MikroTik Router for establishing a site to site VPN tunnel.

Network Diagram

To configure a Site to Site L2TP Tunnel with MikroTik Router, I am following a network like below diagram.

Site to SIte L2TP over IPsec Network

In this network, R1 Router is connected to internet through ether1 interface having IP address 192.168.30.2/30. In your real network this IP address should replace with public IP address. R1 Router’s ether2 interface is connected to local network having IP network 10.10.11.0/24. We will configure L2TP/IPsec server in this router and after L2TP configuration the router will create a virtual interface (L2TP Tunnel) across public network whose IP address will be 172.22.22.1. On the other hand, R2 Router is a remote router and can access R1 Router’s WAN IP. R2 Router’s ether1 interface is connected to internet having IP address 192.168.40.2/30 and ether2 has a local IP network 10.10.12.0/24. We will configure L2TP client in this router and after configuration the router will have a virtual interface (L2TP Tunnel) across public network whose IP address will be 172.22.22.2.

Site to Site L2TP/IPsec Configuration in MikroTik Router

We will now start our Site to Site PPTP configuration in MikroTik Router according to above network diagram. Complete configuration can be divided into two parts.

Part 1: R1 Router Configuration

We will configure L2TP Server in R1 MikroTik RouterOS. Complete RouterOS configuration can be divided into three steps.

Step 1: MikroTik Router Basic Configuration

In first step, we will assign WAN, LAN and DNS IP and perform NAT and Route configuration. The following steps will show how to do these topics in your MikroTik RouterOS.

Basic RouterOS configuration has been completed. Now it is time to enable L2TP Server with IPsec in our MikroTik Router.

Step 2: Enabling PPTP Server with IPsec

We will now enable L2TP Server in our MikroTik Router. The following steps will show how to enable L2TP Server as well as IPsec authentication in MikroTik RouterOS.

L2TP Server with IPsec is now running in our MikroTik Router. The next step is to configure PPP user who will be authenticated to connect to L2TP Server for establishing a L2TP Tunnel.

Step 2: PPP User Configuration for L2TP Server

We will now create PPP secrets (username and password) that are required to connect to L2TP Server. We will assign local and remote virtual interface IP as well. We will also add a static route in routing table to reach the client router’s private network. The following steps will show how to do these topics in your MikroTik Router.

User configuration for L2TP Server has been completed. Whenever your created user will be connected from L2TP client router (R2 Router), the Remote Address IP will be assigned for its virtual interface and the routes will be created in R1 Router’s routing table so that R1 Router’s local network can reach remote router’s (R2 Router) local network.

R1 Router configuration has been completed. Now R1 Router is ready to create L2TP Tunnel for its L2TP user. In the next part, we will configure our R2 Router so that it can connect to R1 Router through a L2TP Tunnel to reach R1 Router’s local network.

Part 2: R2 Router Configuration

According to our network diagram, R2 Router is working as a L2TP client router. So, we will configure L2TP client in R2 Router. Complete RouterOS configuration can be divided into three steps.

Step 1: Basic RouterOS Configuration

Basic RouterOS configuration includes assigning WAN, LAN and DNS IP as well as NAT and Route configuration. The following steps will guide you about basic RouterOS configuration.

Basic RouterOS configuration in R2 Router has been completed. Now it is time to create L2TP client in our MikroTik Router.

Step 2: L2TP Client Configuration

After completing RouterOS basic configuration, we will now configure L2TP client in R2 Router. The following steps will show you how to create L2TP client in your MikroTik Router.

As soon as you provide the above information, a L2TP Tunnel will be created between R1 and R2 Router and provided local and remote IP address will be assigned in R1 and R2 Router’s virtual interface respectively. At this stage, R1 Router as well as its local network will be able to reach R2 Router and its local network but R2 Router and its local network will only be able to reach R1 Router but not its local network. To reach R1 Router’s local network, a static route must be added in R2 Router’s routing table.

Step 3:  Static route configuration

After configuring L2TP Client in R2 Router, R2 Router can only access R1 Router but not its local network. To solve this issue, a route is required in R2 Router’s routing table. The following steps will show how to add a route in R2 Router’s routing table statically.

Now R2 Router and its local network will be able to access R1 Router’s local network.

R1 Router and R2 Router Configuration for establishing a PPTP Tunnel between them has been completed. Now both router’s local networks are eligible to access each other. To check your configuration, do a ping request from any local network machine to other local network machine. If everything is OK, your ping request will be success.

MikroTik VPN configuration with Site to Site L2TP/IPsec Service has been explained in this article. I hope you will be able to configure your Site to Site VPN with MikroTik L2TP service if you follow the explanation carefully. However, if you face any confusion to do above steps properly, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.

Exit mobile version