According to Mikrotik Wiki “L2TP is a secure tunnel protocol for transporting IP traffic using PPP. L2TP incorporates PPP and MPPE (Microsoft Point to Point Encryption) to make encrypted links. L2TP is just as any other tunneling protocol with or without encryption. But the most secure way to encrypt data is using L2TP over IPsec. And I am showing you the configuration of L2TP with IPsec preshared key.”
L2TP uses UDP port 1701 for link establishment, then further traffic is used any available UDP port. It could be 1701 port or any other UDP port.
So today, we will see how a remote user can connect to Head office Network using L2TP encrypted tunnel and avail an IP address from the same IP network of head office so that the remote user can work from anywhere. Unlike PPTP, L2TP is more secured. For this reason, many network experts recommend to user LT2P VPN server to connect remote user.
Ok let’s see the diagram to understand our lab scenario.
Remote user must connect to the internet and is able to reach office router’s Public IP. In my case 103.231.X.X
At first, we have to enable L2TP server.
1. To do this, we will go to PPP and click on L2TP button.
2. Click enable.
3. Tick this box to enable IPSec pre-shared key. Give a password here.
[We will have to give this password along with individual user’s username and password when we configure VPN client from Windows PC.]
Now we will create user. Adding a user is done from secret tab.
user: test pass: test1
Local IP: 192.168.1.1 (Same for all PPTP user), Remote IP: 192.168.1.241 (It must be unique), It is better to assign IP statically so that you know which user is using which IP. You can do another way is to create a pool and then call in the profile. Then use the profile in individual user, this way user will get IP from a pool that you specify, which is random.
L2TP local IP is the IP address of router’s Local interface IP and remote address is from the same range as local network 192.168.1.0/24.
Now we can test it from a windows machine.
L2TP Client setup in Windows:
- From network and settings, go to VPN.
- This is the extra feature we have added in L2TP server. IPSec pre-shared key. So to connect to VPN server you must give IPSec pre-shared key. So the extra layer of security is added when you configure L2TP..
After successfully connect with VPN, you may encounter your remote user still can’t ping to remote office workstations. Ping is unreachable because remote machine can’t get ARPs from remote workstations. The solution is to set proxy-arp on the local interface.
After doing that, you will be able to ping from remote site.