Hi,

I tried to follow many L2TP server tutorial on the internet . Unfortunately, I still can't able get it work.
Would anyone can share me a good tutorial so I can follow it.

What is wrong about the manual, and how exactly your setup "doesn't work"?

What is wrong about the manual, and how exactly your setup "doesn't work"?

I just found that even I add the firewall rule to allow 1701,500,4500. It might be another firewall rule which I copy and paste from Mikrotik basic firewall setup page is still block the connection.
So I disable every firewall setting. Then reconfigure the L2TP and it is work. However, I still can't get IP Sec work.

I read many of article. Adding IP sec is not difficult. Just change "Use IPsec " to yes and fill in the "IPsec Secert" but it doesn't work for me.

First, switching firewall completely off is a very bad idea. The filth from the net is incredibly fast to squat in.

Second, do you realize that the order of rules in the firewall matters, as the rules in each chain are evaluated from the first (topmost) one towards the last (bottommost) one until first match, i.e. if you have e.g.

chain=forward action=drop
chain=forward action=accept protocol=udp dst-port=500,1701,4500

no packet will ever reach the accept rule because it will match the drop one first?

Third, the IPsec configuration generated dynamically if use-ipsec is set to yes or required is created using the default profile, default proposal, and default policy template. The parameters of the default profile and proposal may not be compatible with the settings expected by your L2TP/IPsec client, and if there is any other IPsec configuration already present, it may be in conflict with the dynamically created one. That's why I was asking what actually doesn't work.

So the first check is that the dynamic IPsec configuration has indeed been created, and that there is no other IPsec configuration interfering with it:
/ip ipsec profile print
/ip ipsec proposal print
/ip ipsec peer print
/ip ipsec identity print
/ip ipsec policy print

If everything is right here - a single profile (default), a single proposal (default), a single peer (dynamically created), a single identity (dynamically created and linked to the only peer), a single policy template, the next step will be to activate logging of IPsec, make a client connection attempt, and read the log to find out what the issue is.

Feel free to ask for details of any step which is not clear to you.

Hi Sindy,

Thanks. Now I am realize the firewall rule have to put it in correct order.

Below is the output those ip sec info.

[admin@Router] > /ip ipsec profile print
Flags: * - default
0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5
[admin@Router] > /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
[admin@Router] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
[admin@Router] > /ip ipsec identity print
Flags: D - dynamic, X - disabled
[admin@Router] > /ip ipsec policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T *

Since there is no peer and no identity, the dynamic generation of IPsec configuration for L2TP did not happen. Can you post the output of /interface l2tp-server export or, even better, a complete export?

Hi Sindy,

Below is the router config.
However, the same setting was applied more than 10 times. Somehow, the L2TP server with IPsec is working eventually.

# feb/17/2021 22:25:57 by RouterOS 6.48.1
# software id = MPYV-N028
#
# model = RB4011iGS+
# serial number = D4450C9894D9
/caps-man datapath
add local-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security1 \
passphrase=xxx
/caps-man configuration
add datapath=datapath1 mode=ap name=cfg1 security=security1 ssid=xxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool3 ranges=192.168.3.10-192.168.3.253
add name=dhcp_pool1 ranges=192.168.1.1-192.168.1.253
add name=dhcp_pool2 ranges=192.168.2.1-192.168.2.253
add name=dhcp_pool9 ranges=192.168.9.2-192.168.9.50
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=sfp-sfpplus1 name=dhcp1 \
relay=192.168.3.254
add address-pool=dhcp_pool1 disabled=no interface=sfp-sfpplus1 name=dhcp2 \
relay=192.168.1.254
add address-pool=dhcp_pool2 disabled=no interface=sfp-sfpplus1 name=dhcp3 \
relay=192.168.2.254
/ppp profile
add local-address=192.168.9.1 name=L2TP_Profile remote-address=dhcp_pool9 \
use-encryption=no
add local-address=192.168.9.1 name=L2TP_IPsec_Profile remote-address=\
dhcp_pool9 use-encryption=yes
/routing bgp instance
set default as=101 router-id=1.1.1.1
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
mac-address=00:00:00:00:00:00 signal-range=-70..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
mac-address=00:00:00:00:00:00 signal-range=-120..-71 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1
/interface l2tp-server server
set default-profile=L2TP_Profile enabled=yes ipsec-secret=xxx \
use-ipsec=yes
/ip address
add address=192.168.0.1/30 interface=sfp-sfpplus1 network=192.168.0.0
add address=192.168.5.254/24 interface=cap1 network=192.168.5.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.254
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.254
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.254
/ip firewall address-list
add address=192.168.1.1-192.168.1.254 list=allowed_to_router
add address=192.168.3.1-192.168.3.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
/ip firewall filter
add action=accept chain=input comment="Accept L2TP VPN" dst-port=\
1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Accept HTTP" dst-port=80 in-interface=\
ether1 protocol=tcp
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=cap1 log=yes log-prefix=!public_from_LAN \
out-interface=!cap1
add action=drop chain=forward comment=\
"Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
protocol=icmp
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=ether1 \
log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=cap1 log=yes \
log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface=cap1 log=yes \
log-prefix=LAN_!LAN src-address=!192.168.3.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp \
to-addresses=192.168.0.1 to-ports=80
/ppp secret
add name=xxx password=xxx profile=L2TP_IPsec_Profile service=l2tp

/routing bgp network
add network=192.168.5.0/24
/routing bgp peer
add default-originate=always name="peer to Core Switch" remote-address=\
192.168.0.2 remote-as=102
/system clock
set time-zone-name=Asia/Macau
/system identity
set name=Router
/system ntp client
set enabled=yes primary-ntp=207.148.72.47 secondary-ntp=162.159.200.123
/system scheduler
add comment="Update Dynu DDNS" interval=1m name=ddns_scheduler on-event=\
"/system script run Dynu\r\
\n" policy=read,write,test start-time=startup
/system script
add dont-require-permissions=no name=Dynu owner=admin policy=read,write,test \
source=":global ddnsuser \"xxx\"\r\
\n:global ddnspass \"xxx\"\r\
\n:global theinterface \"ether1\"\r\
\n:global ddnshost \"xxx.ddnsfree.com\"\r\
\n:global ipddns [:resolve \$ddnshost];\r\
\n:global ipfresh [ /ip address get [/ip address find interface=\$theinter\
face ] address ]\r\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\r\
\n:log info (\"dynu: No ip address on \$theinterface .\")\r\
\n} else={\r\
\n:for i from=( [:len \$ipfresh] - 1) to=0 do={\r\
\n:if ( [:pick \$ipfresh \$i] = \"/\") do={\r\
\n:set ipfresh [:pick \$ipfresh 0 \$i];\r\
\n}\r\
\n}\r\
\n:if (\$ipddns != \$ipfresh) do={\r\
\n:log info (\"dynu: IP-dynu = \$ipddns\")\r\
\n:log info (\"dynu: IP-Fresh = \$ipfresh\")\r\
\n:log info \"dynu: Update IP needed, Sending UPDATE...!\"\r\
\n:global str \"/nic/update\?hostname=\$ddnshost&myip=\$ipfresh\"\r\
\n/tool fetch address=api.dynu.com src-path=\$str mode=http user=\$ddnsuse\
r password=\$ddnspass dst-path=(\"/Dynu.\".\$ddnshost)\r\
\n:delay 1\r\
\n:global str [/file find name=\"Dynu.\$ddnshost\"];\r\
\n/file remove \$str\r\
\n:global ipddns \$ipfresh\r\
\n:log info \"dynu: IP updated to \$ipfresh!\"\r\
\n} else={\r\
\n:log info \"dynu: dont need changes\";\r\
\n}\r\
\n}"
/tool romon
set enabled=yes secrets="xxx"