ndkprd's notes

Troubleshooting L2TP VPN Connections on Mikrotik

This article is designed to help you troubleshoot issues with L2TP VPN tunnels between Mikrotik devices at Hub and Spoke locations. By following these steps, you can diagnose the problem, understand its root cause, and find a systematic solution.

Prerequisites

Things you’ll need:

  • IP addresses of the relevant Mikrotik devices, along with their SSH or Winbox ports;
  • Credentials to access each device.

Procedure

At the Mikrotik Hub, ensure that the L2TP tunnel between the Hub and Spoke is active. You can check the active L2TP interfaces under Interfaces and look for interfaces with the type L2TP Server Binding or PPTP Server Binding pointing to the relevant Mikrotik Spoke.

If the interface is missing or inactive (no R on the left of the interface name), the IPSec tunnel might be down.

Similar to IPSec connections between Fortigate devices, two main causes for inactive L2TP tunnels are:

  • Unstable connectivity between the Hub and the Spoke site;
  • Misconfigured L2TP settings.

To check the required configuration on the DC’s L2TP, use the following command on the Mikrotik DC CLI:

ppp secret export

This command will display the credentials that can be used by the remote Mikrotik. Ensure that this configuration matches the one on the remote Mikrotik. You can check the configuration on the Spoke Mikrotik with:

interface l2tp-client export

Double-check by reviewing the Mikrotik event logs via the Log menu in Winbox. Ensure there are no authentication failed events.

If the configuration is correct but the tunnel remains down, it could be an internet connectivity issue between the Spoke Mikrotik and the Hub. Verify connectivity using the ping and traceroute tools:

ping <REMOTE_IP>
tool traceroute <REMOTE_IP>

If both the configuration and connectivity are fine but the connection is still down, try disabling and re-enabling the interface from the Interfaces menu.

Summary

Key points to check:

  • Ensure the tunnel is up.
  • If not:
    • Verify the configurations between the Hub and Spoke Mikrotiks, ensuring:
      • The Connect-to field on the Spoke Mikrotik points to the Hub’s public IP.
      • The username and password are correct.
      • No authentication failure logs appear in the Log.
  • Check internet connectivity between the devices.

References: