How to Set Up L2TP/IPSec on MikroTik Routers with VPNUK

Setting up an L2TP/IPSec connection on a MikroTik router

This guide will walk you through configuring an L2TP/IPSec VPN connection on a MikroTik router using VPNUK’s secure VPN service. L2TP/IPSec provides a balance of security, speed, and compatibility, making it a great VPN choice for secure encrypted access across multiple devices.

1. Configure L2TP Client on MikroTik

  1. Log in to your MikroTik router via WinBox or SSH.
  2. Navigate to PPP > Interface.
  3. Click Add (+) > L2TP Client.
  4. Configure the following settings:
    • Name: VPNUK-L2TP
    • Connect To: (Enter the VPNUK server address)
    • User: (Enter your VPNUK username)
    • Password: (Enter your VPNUK password)
    • Profile: default-encryption
    • Allow: mschap2
  5. Click OK to save.

2. Configure IPSec for L2TP VPN

  1. Navigate to IP > IPSec.
    Click on the Proposals tab and select default.
  2. Set the following:
    • Auth Algorithms: sha1
    • Enc. Algorithms: aes-256
    • PFS Group: modp1024
  3. Click OK.
  4. Go to IP > IPSec > Peers and click Add (+).
  5. Set the following:
    • Address: (Enter VPNUK L2TP server address)
    • Exchange Mode: main
    • Secret: (Enter your IPSec Pre-Shared Key (PSK) from VPNUK)
    • My ID: auto
  6. Click OK.

3. Configure Firewall & NAT Rules

  1. Navigate to IP > Firewall > NAT.
  2. Click Add (+) and set the following:
    • Chain: srcnat
    • Out Interface: l2tp-out1
    • Action: masquerade
  3. Click OK.

4. Configure Routing for L2TP/IPSec

  1. Navigate to IP > Routes.
  2. Click Add (+).
  3. Set the following:
    • Dst. Address: 0.0.0.0/0
    • Gateway: l2tp-out1
  4. Click OK.

5. Enable and Test the Connection

  1. Go to PPP > Interface.
  2. Select VPNUK-L2TP and click Enable.
  3. Navigate to Log to check the connection status.

To verify your VPNUK connection is working, check your VPNUK IP address at: https://www.ipaddress.com/

Enjoy Secure VPN Access with VPNUK & L2TP/IPSec on MikroTik Routers!

Did this guide help? Please provide us with feedback here or share it with others looking for a secure VPN setup on MikroTik routers!

Optional L2TP/IPSec Settings for MikroTik Routers

Option 1. Enable Auto-Connect on Startup

  1. Log in to MikroTik via WinBox or SSH.
  2. Navigate to System > Scheduler.
  3. Click Add (+).
  4. Enter the following:
    1. Name: L2TP-AutoConnect
    2. Start Date: (Leave default)
    3. Start Time: 00:00:00
    4. Interval: 00:05:00 (Runs every 5 minutes, adjust if needed)
  5. In the On Event box, enter the following script:
    :if ([/interface ppp-client get [find name="VPNUK-L2TP"] running] = false) do={ /interface enable VPNUK-L2TP }
  6. Click OK to save.

This ensures that your VPN connection will automatically reconnect if it drops due to network issues or a router reboot.

Option 2. Selective Routing (Policy-Based Routing for Specific Devices)

By default, all devices connected to the MikroTik router will use the VPN tunnel. If you want only specific devices to use VPNUK L2TP/IPSec, follow these steps:

Step 1: Create a Separate Routing Table for the VPN

  1. Go to IP > Routes.
  2. Click Add (+).
  3. Enter the following:
    • Dst. Address: 0.0.0.0/0
    • Gateway: l2tp-out1
    • Routing Table: VPN
  4. Click OK.

Step 2: Assign Specific Devices to the VPN

  1. Go to IP > Firewall > Mangle.
  2. Click Add (+) and enter:
    • Chain: prerouting
    • Src. Address: (Enter the IP of the device you want to route through VPN, e.g., 192.168.1.100)
    • Action: mark-routing
    • New Routing Mark: VPN
  3. Click OK.

Now, only selected devices will route through the VPN, while all others remain on the regular internet connection.

Option 3. Kill Switch (Block Traffic If VPN Disconnects)

A kill switch ensures that if the VPN disconnects, internet access is blocked, preventing IP and data leaks.

  1. Navigate to IP > Firewall > Filter Rules.
  2. Click Add (+) and enter:
    • Chain: forward
    • Out Interface: l2tp-out1
    • Action: accept
  3. Click OK.
  4. Create a second rule:
    • Chain: forward
    • Out Interface: WAN (or your default internet connection)
    • Action: drop
  5. Click OK.

If the VPN disconnects, internet access will be blocked, ensuring that your data remains private.

Troubleshooting Common Issues

Cannot connect to VPNUK servers?

Ensure your L2TP server address and credentials are correct.
Restart your MikroTik router and try again.
Check if your ISP is blocking L2TP/IPSec traffic.

VPN is connected, but no internet?

Ensure Firewall NAT masquerade is enabled.
Check IP Routes to confirm l2tp-out1 is the default gateway.

Final Thoughts & Security Notes

  • L2TP/IPSec on MikroTik offers strong encryption and broad compatibility, ensuring a secure and private internet connection.
  • VPNUK’s L2TP/IPSec servers provide encrypted access, making it a great choice for privacy-conscious users.
  • MikroTik’s advanced RouterOS features allow for further customisation if needed.