Configurar L2TP + IPSec server en RouterOS

Sources:

• https://jcutrer.com/howto/networking/mikrotik/l2tp-over-ipsec-troubleshooting
• https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Application_Examples

Here are the steps to verify and troubleshoot Remote VPN connections to a MikroTik Router using L2TP over IPSec.

• Ensure that proper firewall ports are open
• Verify that the L2TP server is enabled
• IPSec secret matches on router and client
• Verify that a compatible IPSec proposal is configured
• Verify that PPP Profile and IP Pool is configured
• Make sure PPP username/password matches

Firewall

add action=accept chain=input in-interface=ether1 protocol=ipsec-esp \
    comment="allow L2TP VPN (ipsec-esp)"
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp \
    comment="allow L2TP VPN (500,4500,1701/udp)"

Is your L2TP Server Enabled? Verify IPSec secret (PreShared Key)

1. In Winbox, click PPP > Interfaces > L2TP Server
2. [x] Enable should be checked
3. Use IPSec: yes
4. Set IPSec Secret: your-ipsec-psk

Verify IPSec proposal

1. In Winbox, click IP > IPsec > Proposals
2. Double click default
3. Auth Algorithms: [x] sha1
4. Encr. Algorithms: [x] aes-192-cbc, [x] aes-256-cbc

Verify PPP Profile & IP Pool

1. In Winbox, click PPP > Profiles
2. Default a Local Address
3. Specify VPN IP Pool
4. If a IP pool needs to be create, goto .IP > Pool

Verify PPP credentials

1. VPN username accounts are defined in RouterOS as PPP Secrets.
2. PPP > Secrets

Habilitar proxy-arp para permitir el PING

1. At this point (when L2TP client is successfully connected) if you will try to ping any workstation from the laptop, ping will time out, because Laptop is unable to get ARPs from workstations. Solution is to set up proxy-arp on local interface
2. Interfaces > bridge > General > ARP > proxy-arp