Mikrotik l2tp+ipsec

/ interface l2tp-server server

set authentication = mschap2 enabled = yes

/ ip pool

add name = vpn-pool ranges = 172.16.30.102-172.16.30.253

/ ppp profile

add name = "L2TP client-to-site" change-tcp-mss = yes local-address = 172.16.30.101 remote-address = vpn-pool dns-server = 192.168.15.10 wins-server = 192.168.15.10

/ ppp secret

add name = user-laptop password = user-laptop-password profile = "L2TP client-to-site" service = l2tp

/ interface ethernet

set ether1-LAN1 arp = proxy-arp

/ ip ipsec peer

add address = 0.0.0.0 / 0 comment = client-to-site enc-algorithm = 3des, aes-128, aes-256 exchange-mode = main-l2tp generate-policy = port-strict nat-traversal = yes secret = ipsec -password send-initial-contact = no auth-method = pre-shared-key

VPN

Allow all VPN traffic through a VPN connection

It should be borne in mind that some types of connection, for example GRE are not PPP.

/ ip firewall filter

add chain = forward comment = "Permit all PPP" in-interface = all-ppp

Allow PPTP connection

/ ip firewall filter

add chain = input dst-port = 1723 protocol = tcp comment = "Permit PPTP"

add action = accept chain = input protocol = gre comment = "Permit GRE"

Allow L2TP connection

/ ip firewall filter

add chain = input dst-port = 1701 protocol = udp comment = "Permit L2TP"

Allow IPSec connection

/ ip firewall filter

add chain = input port = 500,4500 protocol = udp comment = "Permit IPSec ports 500 and 4500"

add chain = input protocol = ipsec-esp comment = "Permit IPSec protocol ipsec-esp"

Allow OpenVPN connection

/ ip firewall filter

add action = accept chain = input dst-port = 1194 protocol = tcp comment = "Permit OpenVPN"

Allow SSTP connection

/ ip firewall filter

add action = accept chain = input dst-port = 443 protocol = tcp comment = "Permit SSTP"

Allow GRE connection

/ ip firewall filter

add action = accept chain = input protocol = gre comment = "Permit GRE"

Allow IPIP connection

/ ip firewall filter

add action = accept chain = input protocol = ipip comment = "Permit IPIP"

Passing IPSec using Fast Track

Fast Track is an option introduced in RouterOS 6.29. With this option you can pass packets bypassing the Linux kernel. At the expense of it productivity of a router significantly increases.

Enable Fast Track as follows:

/ ip firewall filter add chain = forward action = fasttrack-connection connection-state = established, related

This will allow packages whose state of "Established" or "Related" to bypass the Linux kernel and be immediately redirected to the target. Such packets will not pass through any of the firewall rules or other packet processing rules. Of course, it was still secured.

As a result, there is a drawback: IPsec connections will also not be processed. You can solve this problem as follows.

First, mark the IPsec connections:

/ ip firewall mangle

add action = mark-connection chain = forward comment = "Mark IPsec" ipsec-policy = out, ipsec new-connection-mark = ipsec

add action = mark-connection chain = forward comment = "Mark IPsec" ipsec-policy = in, ipsec new-connection-mark = ipsec

Next, change the standard Fast Track rule so that it does not process IPsec packets. Changes made to the standard rule are highlighted in red.

/ ip firewall filter add action = fasttrack-connection chain = forward comment = FastTrack connection-mark =! ipsec connection-state = established, related