Mikrotik L2TP over IPSec troubleshooting

Mikrotik L2TP over IPSec troubleshooting

Troubleshooting a MikroTik VPN configuration can be frustrating if you do not know where to look. This article is specificly about troubleshooting L2TP over IPSec Remote Access VPNs on RouterOS.

Below are RouterOS configuration areas that relate to L2TP over IPSec.

Click to Enlarge

Here are the steps to verify and troubleshoot Remote VPN connections to a MikroTik Router using L2TP over IPSec.

  1. Ensure that proper firewall ports are open – More info on Mikrotik L2TP/IPSec Firewall Rules here
  2. Verify that the L2TP server is enabled
  3. IPSec secret matches on router and client
  4. Verify that a compatible IPSec proposal is configured
  5. Verify that PPP Profile and IP Pool is configured
  6. Make sure PPP username/password matches

Is your L2TP Server Enabled? Verify IPSec secret (PreShared Key)

  1. In Winbox, click PPP > Interfaces > L2TP Server
  2. [x] Enable should be checked
  3. Use IPSec: yes
  4. Set IPSec Secret: your-ipsec-psk

Verify IPSec proposal

  1. In Winbox, click IP > IPsec > Proposals
  2. Double click default
  3. Auth Algorithms: [x] sha1
  4. Encr. Algorithms: [x] aes-192-cbc, [x] aes-256-cbc

Note: The above proposal is compatible with iOS iPhones / iPads.
If you must support clients older operating systems (such as Windows XP), a different proposal may be required.

Verify PPP Profile & IP Pool

  1. In Winbox, click PPP > Profiles
  2. Default a Local Address
  3. Specify VPN IP Pool
  4. If a IP pool needs to be create, goto .IP > Pool

Verify PPP credentials

VPN username accounts are defined in RouterOS as PPP Secrets.
PPP > Secrets

Enable IPSec logging

Enable L2TP logging

IPSec Secret (PSK) Mismatch

If you have IPSec logging enable and a client is connecting with an incorrect preshared key you will see the following error in your router’s log file.

PPP Username/password is incorrect

If you have L2TP logging enable and a client is connecting with an incorrect username or password you will see the following errors in your router’s log file.

I hope this short guide has helped you troubleshoot & debug Mikrotik L2TP/IPSec VPN configurations. If you have questions, leave a comment below & checkout my other MikroTik Tutorials.

Keywords: remote access vpn, l2tp, ipsec, proposal, logging, debugging, ios vpn, windows vpn, encryption

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.