First, we need to configure the router.
Step 1 – Firewall Rules
Before we configure anything related to VPNs, we need to make sure we allow the right packets through the firewall. I’ve allowed traffic on UDP ports 500, 1701 and 4500, plus two IP protocols relating to IPSec: ipsec-esp (50) and ipsec-ah (51).
/ip firewall filter add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \ dst-port=500,1701,4500 in-interface-list=WAN protocol=udp add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
Step 2 – Configure L2TP
Now we can configure the VPN!
We need to add a profile and then a secret. Profiles let you define behaviour for many connections, and then you can override some settings at the individual login level (secret).
Go to PPP > Profiles, and Add a new profile. All I add here are internal DNS servers, because I want to take advantage of my Pi-Hole. Everything else remains default.
add dns-server=192.168.1.19,192.168.130.31 name=l2tp-vpn
Step 3 – Muck With the IPSec Config (optional; not recommended)
As mentioned above, if you’re on the most recent RouterOS firmware, IPSec will be configured correctly so it Just Works™. Of course, I noticed that it hadn’t turned the encryption up to 11 and decided to muck with it. Eventually, after breaking everything, I swallowed by pride, deleted all IPSec config and let the L2TP re-add it correctly.
My recommendation is to very carefully note the exact dynamic configuration, and use the Copy function to make changes.
Here’s what I have ended up with, for reference:
/ip ipsec profile set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256,sha1 \ enc-algorithms="aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des" \ pfs-group=modp2048
Now, to configure an Android device.
My phone is running Android 8.1 via Lineage OS 15.1; your device may be different.
Goto Settings > Network & Internet > VPN. And tap the plus / add button. And then the Show advanced options checkbox.