Skip to content
Dec 7 / Greg

Mikrotik L2TP For Remote Windows Client Connections

L2TP is a secure tunneling protocol that is great for road warriors. It can also be used for MTK to MTK tunnels, but here we are looking at desktop client connections.

L2TP tunnels traffic with IPSec encryption on top to keep your data secure. This is more secure than PPTP, though it is slightly more difficult to configure…there’s always a trade-off.

If the video below doesn’t load kindly click refresh 🙂


leave a comment
  1. O! / Dec 7 2012

    Any suggestion for a Linux solution? I’m struggling..

    BTW: The cloud core router is delayed about a week to Norway…
    Still haven’t received it..

  2. Greg / Dec 7 2012

    Just doing a quick search for ubuntu l2tp client turned up this:
    Looks like a clean little gui to do the work for you.

    Or this as just something more general:

  3. Grzegorz / Dec 7 2012

    Hi Greg,

    In RouterOS there is no way to prevent users from connecting to L2TP server directly and build a L2TP session outside IPSec. L2TP server is reachable from WAN side, so can be attacked easily. For roadwarriors is not possible to set firewall rules based on source IP address.

    Regards, Grzegorz.

  4. tom / Dec 9 2012

    We use a lot of L2TP/IPSec setups. The one problem is that there is no way to secure the L2TP server to IPSec clients ONLY, if you have people that connect from different public IPs constantly.

    In firewall, you have to allow access to the L2TP server, but there is no IPSec policy matcher.

    However, nothing a script cant solve right? Here is my script for securing the L2TP server to IPSec clients only. Maybe this will be usefull to someone 🙂

    :local InAL 0
    :local InRP 0
    :local CurrentPeerIP 0

    :foreach i1 in [/ip ipsec remote-peers find] do={
    :set CurrentPeerIP [/ip ipsec remote-peers get $i1 remote-address]

    :foreach i2 in [/ip firewall address-list find list=L2TP_Allowed address=$CurrentPeerIP] do={
    :set InAL 1
    if ($InAL = 0) do={/ip firewall address-list add list=L2TP_Allowed address=$CurrentPeerIP}
    :set InAL 0

    :foreach i1 in [/ip firewall address-list find list=L2TP_Allowed] do={
    :set CurrentPeerIP [/ip firewall address-list get $i1 address]

    :foreach i2 in [/ip ipsec remote-peers find remote-address=$CurrentPeerIP] do={
    :set InRP 1
    :if ($InRP = 0) do={/ip firewall address-list remove $i1}
    :set InRP 0

    Make sure to secure the L2TP server firewall rule with src-address-list=L2TP_Allowed.
    Schedule the script to run every 2 or 3 seconds, and the L2TP server is secured.
    If allowing established and related connections in firewall, the L2TP server will be availible for as long as the connection is in the conn track table, watch out for that. (Default UDP stream timeout is 3 minutes.)

    *edit: for some reason ctrl+c, crtl+v screwed up the formatting in the script, here is a repost 🙂

  5. Greg / Dec 10 2012

    Your comments bring the legitimacy of this blog WAY up. Thank you sir.

  6. Greg / Dec 10 2012

    See Tom’s script here in the comments 🙂

  7. tom / Dec 10 2012

    Thanks! Altho I dont think I deserve that much credit 😀

Leave a Comment