Following on from my previous post. Here is how setup the router to have a VPN server, allowing Roadwarriors to connect to the local network and access local resources.
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Basic_L2TP.2FIpSec_setup
I used this link as a guide and:
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Connecting_Remote_Client
For a bit of background, here is how you set it up on Linux,
https://wordpress.com/post/adriangin.wordpress.com/979
You will see parallels.
Debugging
Of course not everything goes to plan. Setup logging for both IPsec and l2tp modules under System Logging Rules.
/system logging add topics=l2tp add topics=ipsec
Setup VPN IP Address Pool
We want Roadwarriors to have an IP on our local subnet so they can access the same local workstations. It’s like DHCP, but I think the L2TP server handles it.
/ip pool add name=VPN ranges=192.168.88.10-192.168.88.49
PPP Profile Setup
RoadWarriors connect with PPP and their gateway will be assigned to the router (192.168.88.1) and they will receive an IP from the VPN pool.
/ppp profile add local-address=192.168.88.1 name=LocalNetwork remote-address=VPN
IPSec Setup
Create a new policy.
/ip ipsec policy group add name=Roadwarrior
If you are wanting to connect via Windows 10, I find that these settings work.
/ip ipsec profile set [ find default=yes ] dh-group=modp2048,modp1536,modp1024 enc-algorithm=\ aes-256,aes-128,3des add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-128,3des \ name=windows /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\ aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=modp1536 /ip ipsec policy add dst-address=192.168.88.0/24 group=Roadwarrior src-address=192.168.88.0/24 \ template=yes
Add the IPSec to the Firewall
Note that we use the INPUT chain as these packets are intended for the router itself. Tutorials often have UDP port 1701 forwarded, but as all the packets are over IPSec not raw L2TP, there is no need.
Allow the ESP protocol as well as the UDP Ports 500 and 4500.
add action=accept chain=input comment="IPSec ESP" in-interface=vlan10 \ protocol=ipsec-esp add action=accept chain=input comment="UDP 500, 4500" dst-port=500,4500 \ protocol=udp src-port=""
Setup the L2TP Server:
/interface l2tp-server server set default-profile=LocalNetwork enabled=yes ipsec-secret=mysecretPassword \ use-ipsec=required
Add PPP users
/ppp secret add name=UserName password=mysecretpassword profile=LocalNetwork service=l2tp
Add the ARP Proxy so Roadwarrior can access local workstations.
/interface bridge set bridge arp=proxy-arp
There you have it, it really is that simple!