--------------------
Step 1: define the VPN IP pool by clicking on IP -> Pool -> Pools -> Add New
Enter the name of your pool: ipsec
Enter the Addresses of your pool: 10.0.10.2-10.0.10.99 (ensure this does not overlap with another network attached to the mikrotik!)
Next Pool: none
Click on Apply, then OK. Your new VPN pool should now be shown in the list.
--------------------
Step 2: create a new ppp profile by clicking on PPP -> Profiles -> Add New
Name: ipsec
Local Address: 10.0.10.1 (ensure this is in the same subnet as what you've defined above)
Remote Address: ipsec (the name of the pool you defined above)
DNS Server: 10.0.10.1 (the same address as your local address)
Change TCP MSS: yes
Use UPnP: default
Use MPLS: default
Use Compression: default
Use Encryption: yes
Only One: default
Click on Apply, then OK. Your new profile should now be shown in the list.
--------------------
Step 3: create a new user by clicking on PPP -> Secrets -> Add New
Enabled: Yes
Name: johnsmith
Password: smitty1234
Service: l2tp
Profile: ipsec (the name of the profile you defined above)
Click on Apply, then OK. Your new username should now be shown in the list. Repeat as necessary for additional users.
--------------------
Step 4: enable the L2TP server by clicking on PPP -> L2TP Server
Enabled: Yes
Max MTU: 1460
Max MRU: 1460
Keepalive Timeout: 30
Default Profile: ipsec (the name of the profile you defined above)
Authentication: mschap2 (all others disabled)
Use IPsec: yes
IPsec Secret: homeipsecsecret
Caller ID Type: ip address
One Session Per Host:
Allow Fast Path:
Click on Apply, then OK.
--------------------
Step 5: modify the default IPsec proposal by clicking on IP -> IPsec -> Proposals -> Default
Enabled: Yes
Name: l2tp-ipsec
Auth. Algorithms: sha1
Encr. Algorithms: aes-256-cbc
PFS Group: modp1024
--------------------
Step 6: create a new IPsec peer entry by clicking on IP -> IPsec -> Peers -> Add New
Enabled: Yes
Address: 0.0.0.0/0
Auth. Method: pre shared key
Exchange Mode: main l2tp
Passive: No
Secret: homeipsecsecret (same as defined under PPP -> L2TP Server)
Policy Template Group: default
Send Initial Contact: Yes
NAT Traversal: Yes
My ID Type: auto
Generate Policy: port override
Lifetype: 1d 00:00:00
DPD Interval: 2s
DPD Maximum Failures: 5
Proposal Check: obey
Compatibility Options:
Hash Algorithm: sha256
Encryption Algorithm: aes-256
DH Group: modp1024
--------------------
Step 7: enter the required firewall rules by clicking on IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: ipsec-ah
Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: ipsec-esp
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 500
Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 1701
Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 4500
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 1701
Click IP -> Firewall -> Add New
Enabled: Yes
Action: Accept
Chain: input
In. Interface: ether1 (or whatever your WAN interface is)
Src. Address: 0.0.0.0/0
Connection State: New
Protocol: udp
Dst. Port: 4500
You should have five firewall rules added once completed.
--------------------
Now go to your Mac System Preferences -> Network -> and click on the '+' symbol. If it is grayed out, click on the clock and enter your administrator password.
Interface: VPN
VPN Type: L2TP over IPSec
Service Name: VPN (Home Router)
Click "+"
Configuration: Default
Server Address: (your router WAN address or DNS)
Account Name: johnsmith
Click Authentication Settings...
Click Authentication Settings:
User Password: smitty1234
Machine Authentication:
Shared Secret: homeipsecsecret
Group Name: (blank)
Click OK.
Click Advanced, then under Session Options, check the following:
Disconnect when switching user accounts
Disconnect when user logs out
Send all traffic over VPN connection (provides a 0.0.0.0/0 route via the VPN!)
Click OK. Click Connect.
Enjoy!