Configuring a site to site VPN with mikrotik is an easy task that should take only a few minutes however some understanding of subnetting and routing is required.
The following layout is what we will be aiming to achieve by the end of this post.
In this example client 1 has an internal IP range of 10.11.0.0/24 and a WAN IP of 172.24.0.1 and client 2 has an internal IP range of 10.12.0.0/24 and a WAN IP of 172.16.0.1
WAN is connected to ether1
LAN is connected to any other interface/bridge
This guide assumes that the internet is working correctly at both locations.
Configuration on Router1
Firstly we need to log into router1 and configure the L2TP settings this includes configuring the L2TP server, the user profile as well as the actual L2TP profile used to establish connection between the two routers
/ppp profile add name=L2TPClient2 use-encryption=required local-addr ress=192.168.0.1 remote-address=192.168.0.2
We can also use an IP pool for remote-address but I myself prefer to configure a profile per client to ensure each client always gets the same address
Next we need to add a username and password that will be used by the client when connecting
/ppp secret add name=client2 password=supersecterpassword service=l2tp
Now we enable the L2TP server on the router
/interface l2tp-server server set enabled=yes default-profile=L2TP use-ipsec=yes ipsec-secret=someothersupersecret caller-id-type=ip-address
Optional step (If you currently have filter rules)
In order to allow L2TP to establish we need to allow connections to the router the following rules must be inserted above any deny rules in the input chain
/ip firewall filter add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" in-interface=ether1 protocol=ipsec-esp add action=accept chain=input comment="allow L2TP VPN (1701/udp)" dst-port=1701 in-interface=ether1 protocol=udp add action=accept chain=input comment="allow L2TP VPN (4500/udp)" dst-port=4500 in-interface=ether1 protocol=udp add action=accept chain=input comment="allow L2TP VPN (500/udp)" dst-port=500 in-interface=ether1 protocol=udp
A route is required so that client devices at client1 will be able to communicate with client devices at client2
/ip route add dst-address=10.12.0.0/24 gateway=192.168.0.2
That concludes the confuration steps for router1
Configuration on Router2
Router2 requires us to configure the L2TP profile to ensure we use the same encryption settings
/ppp profile add name=L2TPClient2 use-encryption=required
then we add the l2tp client interface
/interface l2tp-client add name=toclient1 add-default-route=no use-ipsec=yes ipsec-secret=someothersupersecret profile=L2TPClient2 user=client2 password=supersecretpassword connect-to=172.24.0.1
We the add the routes so that client2 devices can communicate with client1 devices
/ip route add dst-address=10.12.0.0/24 gateway=192.168.0.1
You should now be able to communicate between devices from both LAN segments accross the VPN tunnel.
Troubleshooting
In most cases when both routers have working internet connection and the routers are able to ping each other across the WAN connection the L2TP VPN does not establish it is because of a shared secret mismatch or an incorrect username/password combination consult your log file to determine where the problem is.
Example of L2TP shared secret mismatch
l2tp,ppp,info toclient1: initializing… l2tp,ppp,info toclient1: connecting… ipsec,info initiate new phase 1 (Identity Protection): 10.12.0.1[500]<=>172.24.0.1[500] ipsec,info the packet is retransmitted by 172.24.0.1[4500]. ipsec,info the packet is retransmitted by 172.24.0.1[4500]. l2tp,ppp,info toclient1: terminating… - session closed
Example of username/password mismatch
l2tp,ppp,info toclient1: initializing… l2tp,ppp,info toclient1: connecting… ipsec,info initiate new phase 1 (Identity Protection): 10.12.0.1[500]<=>172.24.0.1[500] ipsec,info ISAKMP-SA established 10.12.0.1[4500]-172.24.0.1[4500] spi:cf478d365cfcf58f:f839e7fe5eec60b2 l2tp,ppp,info toclient1: terminating… - failed to authenticate ourselves to peer l2tp,ppp,info toclient1: disconnected l2tp,ppp,info toclient1: initializing… l2tp,ppp,info toclient1: connecting… l2tp,ppp,info toclient1: terminating… - session closed l2tp,ppp,info toclient1: disconnected l2tp,ppp,info toclient1: initializing… l2tp,ppp,info toclient1: connecting… l2tp,ppp,info toclient1: terminating… - failed to authenticate ourselves to peer l2tp,ppp,info toclient1: disconnected l2tp,ppp,info toclient1: initializing… l2tp,ppp,info toclient1: connecting… l2tp,ppp,info toclient1: terminating… - failed to authenticate ourselves to peer l2tp,ppp,info toclient1: disconnected ipsec,info ISAKMP-SA deleted 10.12.0.1[4500]-172.24.0.1[4500] spi:cf478d365cfcf58f:f839e7fe5eec60b2 rekey:1