you can find the configuration to create a tunnel below, this will allow one client with the user named test with Password2 to connect as long as they have the IP sec password of Password1, if you would like more then one user to connect you can add more secrets where the secrets name is the username of the login and add a password and then you will need to give them a unique remote address as that is the IP address the client will have on their tunnel interface but the local address can be the same on each secret as that is the ip address the server is getting its ip on that tunnel interface.
If you do not want to create multiple secrets and wan to allow multiple clients to connect through the same user account what you would do is take out the remote and local address on the secret, then create a IP pool from ip>pool and then go to ppp>profile and set the ip pool in the remote address by hitting the down arrow and clicking your pool name and then set a local address to 1 static address that is not being used on your network.
As for allowing a road worrier set up without leaving your device open to attacks you can put the following rules through terminial and then drag them above any rules that either trap traffic or might pick up the same traffic
/ip firewall filter
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp \
comment="allow L2TP VPN (ipsec-esp)"
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp \
comment="allow L2TP VPN (500,4500,1701/udp)"
config for l2tp:
For the mikrotik server:
/interface l2tp-server server
set enabled=yes ipsec-secret=Password1 use-ipsec=required default-profile=default-encryption
*note this is under ppp in the GUI*
/ppp secret
add name=test password=Password2 add local-address=192.168.50.1 remote-address=192.168.40.1
For the windows client:
Find the in built VPN client by hitting the windows key then typing in vpn, cone you have clicked on 'change virtual private networks' click the add button
From there use the following settings
VPN provider= windows built in
connection name =(what ever you would like to name it)
Server name or address= (public IP address of the router you applyed the configuration on, please ping this address to make sure it is reachable)
VPN type= L2TP/IPsec with pre-shared key
Pre-shared key = Password1
type of sign in info = username and password
username = test
password = Password2
for mikrotik client:
/interface l2tp-client
add connect-to=(public IP address of the router you applyed the configuration on, please ping this address to make sure it is reachable) disabled=no ipsec-secret=Password1 name=l2tp-out1 \
password=Password2 use-ipsec=yes user=test
Once the tunnel is set up and connected you will need to add a route on the VPN server going through the new tunnel for the networks you would like to reach on the other side of the tunnel,to do this we added a static route on the VPN server to the lan subnet on the other side using the VPN interface as the gateway otherwise you will need to implement other options of getting the two sides to talk to each other (like an EoIP tunnel or setting the MRRU so you can bridge the vpn interface)
Once you have set up the static route on the VPN server you will also need to set routes up on the VPN client so that the traffic can go back, on the client you will also need to add static routes of the remote network.
For example if you have a 192.168.88.0/24 subnet on the server and a 192.168.99.0/24 subnet on the client from the server you will need to create a static route with the destination of 192.168.99.0/24 and the gateway as the interface going to the client
*Please note that on the server side the tunnel interface will by dynamically created once the tunnel is connected, to get around this you can make the binding static by double clicking on the dynamic binding once connected then clicking the copy and apply button, please note that you will need to kick the current session for the user to use the new static session.*
if you only create this you will not be able to ping as the traffic will not know how to get back so on the vpn client network you will also need to add a static route but the dst-address will be 192.168.88.0/24 and the gateway will be the vpn client interface.
If you are connecting via a PC this will not matter as the PC will create a 0.0.0.0/0 route through the vpn interface when you connect as well as you will be getting the IP address directly from the server and ti will know how to route to it :)
If you were after a connection where you only needed to dial out to the client/server but if a connection is initiated from the outer end is not needed, you can make it easyer on yourself by adding a masquerade rule out of each of the VPN interfaces(If you end up adding a lot of tunnel you can make 1 rule that specify an interface list and then add all the tunnel to the interface list instead of having a lot of nat rules :) ) This means that you do not have to add a route going back to the server on the client side as well as all the traffic going to each of your clients will be coming from the same ip address so you can have universal firewall/ip service rules on all your clients accepting traffic form.
Setting it up this will will make it so that connections will only work when initiated from the side with the nat, if you would like both the client and server site to initiate connections to the other sides lan you will need to just add a static route to the remote sides address using the tunnel interface as the gateway.