====== Configurar L2TP + IPSec server en RouterOS ======


Sources: 
  * https://jcutrer.com/howto/networking/mikrotik/l2tp-over-ipsec-troubleshooting
  * https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Application_Examples

Here are the steps to verify and troubleshoot Remote VPN connections to a MikroTik Router using L2TP over IPSec.

  *     Ensure that proper firewall ports are open
  *     Verify that the L2TP server is enabled
  *     IPSec secret matches on router and client
  *     Verify that a compatible IPSec proposal is configured
  *     Verify that PPP Profile and IP Pool is configured
  *     Make sure PPP username/password matches


----

**Firewall**
<code>
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp \
    comment="allow L2TP VPN (ipsec-esp)"
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp \
    comment="allow L2TP VPN (500,4500,1701/udp)"
</code>

**Is your L2TP Server Enabled? Verify IPSec secret (PreShared Key)**

  - In Winbox, click ''PPP > Interfaces > L2TP Server''
  - [x] Enable should be checked
  - Use IPSec: yes
  - Set IPSec Secret: your-ipsec-psk
    
**Verify IPSec proposal**

  - In Winbox, click ''IP > IPsec > Proposals''
  - Double click default
  - Auth Algorithms: [x] sha1
  - Encr. Algorithms: [x] aes-192-cbc, [x] aes-256-cbc
    
**Verify PPP Profile & IP Pool**

  - In Winbox, click ''PPP > Profiles''
  - Default a Local Address
  - Specify VPN IP Pool
  - If a IP pool needs to be create, goto .IP > Pool
    
**Verify PPP credentials**

  - VPN username accounts are defined in RouterOS as PPP Secrets.
  - ''PPP > Secrets''

**Habilitar ''proxy-arp'' para permitir el PING**
  - At this point (when L2TP client is successfully connected) if you will try to ping any workstation from the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up ''proxy-arp'' on local interface
  - ''Interfaces > bridge > General > ARP > proxy-arp''