The profile defines the bridge between the VPN tunnel and your local network. Go to and click + . Name: l2tp-profile . Local Address: Your router’s LAN IP (e.g., 192.168.88.1 ). Remote Address: Select the vpn-pool created in Step 1. DNS Server: Add your preferred DNS (e.g., 8.8.8.8 ). Step 3: Enable the L2TP Server with IPsec

The profile defines how the connection behaves, including DNS settings and local addresses. Go to > Profiles . Click + to add a new profile. General Tab : Name: l2tp-profile .

Click and then OK .

L2TP/IPsec is CPU-intensive due to encryption and encapsulation. On low-end MikroTik (hEX, RB750), expect:

For RouterOS v7, IPsec configuration syntax differs slightly, but the above works in v6 and v7 with minor adjustments.

Set the range (e.g., 192.168.88.10-192.168.88.20 ). Step 2: Configure the PPP Profile

Ensure the router accepts incoming VPN traffic. Add these rules to the top of your list: UDP 500, 4500: For IPsec negotiation. UDP 1701: For the L2TP tunnel. IPsec-ESP: To allow encrypted data packets. Best Practices for 2026

Enter a strong pre-shared key (PSK) that clients will use to connect. Step 4: Create VPN Users (Secrets)

Note: Avoid overlapping with your existing LAN subnet.

Yes , if you need broad compatibility across devices without installing third-party software.

Note for Windows users behind a NAT: If your client computer or your MikroTik server is behind a home router/NAT, Windows may block the connection by default. You may need to add a registry key ( AssumeUDPEncapsulationContextOnSendRule set to value 2 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent ) to allow IPsec traffic through NAT devices. Connecting from macOS / iOS

/ip ipsec active-peers print