/ppp profile add name=ipsec_vpn local-address=192.168.11.1 dns-server=DNS1,DNS2
/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2
/ip ipsec policy set [ find default=yes ] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret="STRONGSECRET1" peer=l2tpserver
/ip ipsec proposal set default auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=modp1024
/ppp secret add name="USER" password="STRONGSECRET2" service=l2tp profile=ipsec_vpn remote-address=192.168.11.2
/ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
/ip firewall filter add chain=input action=accept protocol=ipsec-esp
The 192.168.11.x ip addresses are an arbitary, NOT-in-use IP address range for use by the VPN. Remember to add an appropriate route in the connecting user client to get access to the 'real/normal' internal network LAN with the gateway being the above specified local-address ip address (in the above case, 192.168.11.1). N.B. Windows L2TP VPN's use the VPN as the default gateway so the extra routing is NOT required. Each /ppp secret (user login) needs a unique ip address in the same range.
Move the firewall filter rules to the top (first) of the firewall rules using: /ip firewall filter print all, /ip firewall filter move from_number to_number.
DNS1,DNS2 are the DNS servers used on the normal LAN - I normally include any LAN server running a DNS server and the gateway router itself. Separate IP addresses with a comma. You can have just one.
STRONGSECRET1 is typically a nice long password.
STRONGSECRET2 is typically something an end user might know or remember (but not necessarily).
Remember these DO show up in any 'export'ed file config.
STRONGSECRET2 is typically something an end user might know or remember (but not necessarily).
Remember these DO show up in any 'export'ed file config.