Check the differences between IPsec tunnel and IPsec transport.

We have a central location [HQ] connected to internet via Mikrotik router. Rourer has either a fixed IP or some dynamic DNS auto update script. Let's assume that we are using the ChangeIP service and our router can be found on internet by “myVPN.changeip.org” fqdn.

1. create VPN address pool [VPN pool]

/ip pool
add name="VPN Pool" ranges=172.16.0.1-172.16.0.253

2. create L2TP profile [L2TP-encryption]

/ppp profile
add local-address=192.168.5.254 name=L2TP-encryption remote-address="VPN Pool" use-encryption=yes \
change-tcp-mss=yes dns-server=4.2.2.2

…“local-address” is private IP address of your router…

3. enable L2TP server

/interface l2tp-server server
set default-profile=L2TP-encryption enabled=yes max-mru=1460 max-mtu=1460

4. create secret

/ppp secret
add name=user11 password=pass1 profile=L2TP-encryption service=l2tp

5. add IPsec proposal (or edit default)

/ip ipsec proposal
set [ find default=yes ] pfs-group=none

6. add IPsec peer

/ip ipsec peer
add dpd-interval=15s exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 lifetime=\
1h nat-traversal=yes secret=my_secret_key

This is all you need to configure on router. You still have to configure windows client…..