Page tree


Layer Two Tunneling Protocol "L2TP" extends the PPP model by allowing the L2 and PPP endpoints to reside on different devices interconnected by a packet-switched network.  L2TP includes PPP authentication and accounting for each L2TP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally. L2TP traffic uses UDP protocol for both control and data packets. UDP port 1701 is used only for link establishment, further traffic is using any available UDP port (which may or may not be 1701). This means that L2TP can be used with most firewalls and routers (even with NAT) by enabling UDP traffic to be routed through the firewall or router.  L2TP standard is defined in RFC 2661.


It may be useful to use L2TP just as any other tunneling protocol with or without encryption. The L2TP standard says that the most secure way to encrypt data is using L2TP over IPsec (Note that it is the default mode for Microsoft L2TP client) as all L2TP control and data packets for a particular tunnel appear as homogeneous UDP/IP data packets to the IPsec system. 

Multilink PPP (MP) is supported in order to provide MRRU (the ability to transmit full-sized 1500 and larger packets) and bridging over PPP links (using Bridge Control Protocol (BCP) that allows sending raw Ethernet frames over PPP links). This way it is possible to setup bridging without EoIP. The bridge should either have an administratively set MAC address or an Ethernet-like interface in it, as PPP links do not have MAC addresses.

L2TP does not provide encryption mechanisms for tunneled traffic. IPsec can be used for additional security layers.

L2TP Server in RouterOS

An interface is created for each tunnel established to the given server. There are two types of interfaces in the L2TP server's configuration

  • Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user;
  • Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name);

Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need persistent rules for that user, create a static entry for him/her. Otherwise, it is safe to use a dynamic configuration.

in both cases PPP users must be configured properly - static entries do not replace PPP configuration.

Access Concentrator

/interface l2tp-server server

The L2TP server (access concentrator) supports multiple servers for each interface - with differing service names. The access concentrator name and L2TP service name are used by clients to identify the access concentrator to register with. The access concentrator name is the same as the identity of the router displayed before the command prompt. The identity may be set within the /system identity submenu.
To enable the L2TP server:

[admin@MikroTik] > interface l2tp-server server set enabled=yes
[admin@MikroTik] > interface l2tp-server server print 
enabled: yes
max-mtu: 1450
max-mru: 1450
mrru: disabled
authentication: pap,chap,mschap1,mschap2
keepalive-timeout: 30
max-sessions: unlimited
default-profile: default-encryption
use-ipsec: no
caller-id-type: ip-address
one-session-per-host: no
allow-fast-path: no

Quick Example

L2TP Client

L2TP client setup in the RouterOS is very simple.  In the following example, we already have a preconfigured 3 unit setup. We will take a look more detailed on how to set up L2TP client with username "MT-User", password "StrongPass" and server

[admin@MikroTik] > /interface l2tp-client
add connect-to= disabled=no name=MT-User password=StrongPass user=MT-User
[admin@MikroTik] > interface l2tp-client print 
Flags: X - disabled, R - running 
0 R name="MT-User" max-mtu=1450 max-mru=1450 mrru=disabled connect-to= user="MT-User" 
password="StrongPass" profile=default-encryption keepalive-timeout=60 use-ipsec=no ipsec-secret="" 
allow-fast-path=no add-default-route=no dial-on-demand=no allow=pap,chap,mschap1,mschap2

L2TP Server

On the servers side we will enable L2TP-server and create a PPP profile for a particular user:

[admin@MikroTik] > interface l2tp-server server set enabled=yes
[admin@MikroTik] > ppp secret add local-address= name=MT-User password=StrongPass profile=default-encryption remote-address= service=l2tp

  • No labels