Mikrotik L2tp Server Setup Full Direct

Sometimes you need to explicitly define the IPsec peer.

/ip ipsec peer add address=0.0.0.0/0 secret=YourStrongPreSharedKey generate-policy=port-override exchange-mode=main-l2tp send-initial-contact=yes

Then set the IPsec proposal:

/ip ipsec proposal add name=l2tp-proposal enc-algorithms=aes-256-cbc,aes-128-cbc auth-algorithms=sha256 pfs-group=modp1024
/ip ipsec profile set [ find default=yes ] proposal=l2tp-proposal

For RouterOS v7, IPsec configuration syntax differs slightly, but the above works in v6 and v7 with minor adjustments. mikrotik l2tp server setup full

While enabling use-ipsec=yes on the L2TP server auto-generates IPsec policies, you may want to explicitly define the peer for logging or custom settings.

CLI:

/ip ipsec peer add name=l2tp-peers \
  address=0.0.0.0/0 \
  port=500 \
  auth-method=pre-shared-key \
  secret=YourSharedSecretKey123 \
  generate-policy=port-strict \
  exchange-mode=main-l2tp \
  send-initial-contact=yes

Note: exchange-mode=main-l2tp is specific to L2TP/IPsec and ensures compatibility. The generate-policy=port-strict automatically creates policies for UDP 1701 (L2TP).

If you skip this step, the server will still work but with dynamically generated peers. Sometimes you need to explicitly define the IPsec peer

Ensure these rules are placed above any action=drop rules on the input chain.

Check rule order:

/ip firewall filter print

If your default policy is drop, you must also allow established/related traffic:

/ip firewall filter add chain=input connection-state=established,related action=accept comment="Allow established/related"