L2TP Mikrotik: setting. Mikrotik Equipment

Now more and more companies and their branches are trying to unite into one information network, so this issue is quite relevant. It is also often required to provide a network for employees from anywhere in the world. The way to properly merge networks will be explained in this article with the example of changing L2TP parameters. Mikrotik, whose configuration is described below, is considered a good option for working both at home and in the office. Due to the hAP lite function, you can work with remote access of each employee with little effort. The performance of the router will allow to work in small offices, where the company does not set too high requirements.

Quite often in one local network are the office and its branches. They work with the same provider, so the process of connecting signals is pretty simple. It should be noted that quite often the branches are located at a great distance from the main center and from each other. The most demanded and relevant at the moment is a technology called Virtual Private Network (VPN). You can implement it in many ways. It is not recommended to use PPTP, because this technology is obsolete, and OpenVPN. The latter can not interact with all devices.

L2TP protocol

Due to the relative availability, the Mikrotik L2TP protocol, the configuration of which will be described later, is capable of running on many operating systems. He is considered the most famous. Problems with it can arise only when the client is behind NAT. In this case, special security will block its packets. There are ways to fix this problem. This protocol has its drawbacks.

For example, security and performance can be considered as such for L2TP. When IPSec is used to improve security, the second indicator is reduced. This is the so-called price of data security.

Server Tuning

The master server must have a static type IP address. There is his example: 192.168.106.246. This nuance is quite important, since the address in no case should not change. Otherwise, the owner and other users will have to use the DNS name and bother themselves with unnecessary actions.

Creating profiles

In order to create a profile, you need to go to the PPP section. There will be a menu "Profiles". Next, you need to create the profile that will be applied to VPN type connections, that is, a single network. It is necessary to note and enable the following options: "Change TCP MSS", "Use compression", "Apply encryption". As for the last parameter, it will take the default value. We continue to work with the Mikrotik router. L2TP and Server setup are quite complex, so you need to monitor each step.

Next, the user needs to go to the "Interface" tab. There you should pay attention to the L2TP server. An information menu appears, in which you should click on the "Enable" button. The profile will be selected by default, since it is the only one and was created a little earlier. If you want, you can change the type of authentication. But if the user does not understand this, it is better to leave the standard value. The IPsec option should remain inactive.

After that, the user needs to go to the "Secrets" and create a network user. In the column "Server" you need to specify L2TP. If desired, the profile to be used in Mikrotik is also indicated here. The configuration of L2TP and Server is almost complete. The local and remote server addresses should be the same, the difference is only in the last two digits. This value is 10.50.0.10/11, respectively. If necessary, you need to create additional users. The local address remains unchanged, but the remote address should be incremented by one value.

Configuring the Firewall

In order to work with the unified network, you need to open a special port type UDP. It raises the priority of the rule and moves on the position above. This is the only way to achieve good L2TP performance. Mikrotik setup is not easy, but with certain efforts it's real. Next, the customizer should go into NAT and add a masquerading. This is done so that computers can be seen within the same network.

Adding a route

When performing all the settings, a remote subnet was created. It must contain a route. The final value of the subnet must be 192.168.2.0/24. The gateway is the address of the client in the network itself. The target volume should be one. This completes all server settings, it remains only to make client changes to the settings.

Configuring the client

Carrying out further adjustments of L2TP technology in "Microtics", the client configuration needs to be given a lot of attention. You need to go to the "Interface" section and create a new client of the L2TP type. You must specify the server address and credentials. Encryption remains selected by default, next to the option of the default route, you must uncheck the activation box. If everything is done correctly, then the connection in the L2TP network should appear after saving. Mikrotik, whose configuration is almost complete, is an excellent option for working with VPN.

We check the efficiency of the nodes in the created grid. Enter the value 192.168.1.1. The connection must be reset. That's why you need to create a new static type route. It is a subnet of type 192.168.1.0/24. Gateway - the address of the virtual network server. In the "Source" you need to specify the address of the user network. After re-testing the health of the nodes of the so-called ping, you can see that the connection has appeared. However, computers in the grid should not see it yet. In order for them to connect, you need to create a masquerading. It should be completely similar to what was already created on the server. The output interface is VPN-type connection value. If ping is implemented, then everything should work. The tunnel is created, computers can connect and work in the grid. With a good tariff package, it's easy to get a speed of more than 50 Mbps. Such an indicator can only be achieved if the technology is abandoned (using L2TP) IPSec in Mikrotik.

This completes the standard network setting. If a new user is added, then add another route on his device. Then the devices will see each other. If you make a route from Client1 and Client2, you do not need to change any settings on the server. You can simply create routes, and set the gateway to the network address of your opponent.

Configuring L2TP and IPSec in Mikrotik

If you need to take care of security, then you should use IPSec. To do this, do not create a new network, you can use the old one. Note that you need to create this protocol between addresses of type 10.50.0. This will allow the technology to work no matter what the address of the client.

If you want to create an IPSec tunnel in Mikrotik between the server and the WAN client, you need to take care that the latter has an external address. If it is dynamic, then you will have to change the protocol policy using scripts. If IPSec is used between external addresses, then in general, the need for L2TP will be reduced to a minimum.

Performance Check

Be sure to check the performance at the end of the settings. This is due to the fact that when using L2TP / IPSec, there is a double encapsulation, which means that the CPU is heavily loaded. Often when creating a network, you can see that the connection speed is slow. You can increase it by creating about 10 threads. The processor will be loaded almost 100%. This is the main drawback of L2TP IPSec technology in Mikrotik. It at the expense of performance guarantees maximum safety.

In order to get a good work speed, you need to purchase high-tech equipment. You can also choose the router that supports the computer and RouterOS. If it has encryption of the hardware unit, then the performance will improve significantly. Unfortunately, cheap equipment Mikrotik such a result will not.