Moscow, Azovskaya 14
+7 (495) 310-97-15
Mo-Fr: 9.00 - 18.00 (Moscow time)
Order a call
Your name *
Enter phone *
Your Email *
Call me back
Configuring 2x MikroTik L2TP Server + IPsec

Connecting to the PLC through a VPN tunnel

In this article, I will try to describe in detail, step by step, the steps that are required to configure two Mikrotik hAPac2 routers using the L2TP protocol, and at the same time I will create a reminder for myself on how to connect such a tunnel to the PLC210 CS SP14 over time.

I myself am not some kind of network technology guru and I admit that I may have made a mistake in the description.

If you can't connect like that, knock, I'll try to help.

A VPN tunnel is well suited for those cases when it is unsafe and redundant to keep a computer on site for remote access, and significant traffic savings result.

The problem of setting up remote access over a VPN tunnel to a remote controller consists of several features at the same time:

1. The general rules for connecting two nodes (site-to-site) may differ in a number of ways. If it works for some users, it may not work for you. The subtleties are hidden in the details.

2. Tasks are different from the task and one piece of advice may be completely unsuitable for another case.

3. Youtube has an abundance of similar videos on connections, but it is very difficult to watch and repeat + what is promoted is usually already quite outdated.

So out of ignorance, you can spend a lot of time and the search for worthwhile articles tuned for practical use is quite difficult. Then, even having found a worthwhile article, and anyway, in the end, turn to knowledgeable specialists, since there are a lot of features.

What was my task:

A PLC210-01 controller was purchased for the facility. It stands deep in the underground casemates of the heating point of a large high-rise building. The object is about 1000 input-output signals, and it was not reasonable to control the correctness of the program code either through Anydesk / TeamViwer, or, moreover, by frequent trips on a call. Accordingly, it is necessary to somehow control the process remotely and correct the code immediately if a flaw is found.

What has been done:

1. In the place where I am most of all in Moscow, I rented a static IP address. It is not secret, you can connect to it and program. The second PLC210 from OWEN is connected there (

2. The MIKROTIK hAP ac2 router had already been purchased earlier and it remained to purchase a second one in order to organize an encrypted VPN tunnel. How lucky that they are getting cheaper year after year, the first one cost as much as 5500 rub, this one took for 4680 rub., you can buy a similar one on Avito for about 2 thousand rubles

3. The L2TP protocol was pre-selected, as it is quite secure and quite easy to set up

4. Both routers have similar firmware, in the client it is 6.48.4

Версии Mikrotik

Структурная схема VPN

In accordance with the block diagram, it can be seen that the first Mikrotik router (server) from where programming is being carried out (GW1) will be configured for the L2TP Server + IPSec role, with the following settings:

External IP (WAN): (static IP address);

VPN Server IP address:;

Router address in LAN network:

MIkrotik in the place where the PLC210 (GW2) will be connected will be a VPN client with the following settings:

External IP (WAN): (the address of what the modem with the Tele2 SIM card gives) HUAWEI LTE modem (reflashed);

VPN Client IP address:;

Router address in LAN network:

Setting up a server router

1. Create user Secret. Specify VPN Server + VPN Client addresses

PPT Secrets(+)

Создаем пользователя с правами

2. We create a PPT interface in which we specify the Secret user

Создаем интерфейс PPT

Создаем интерфейс PPT

3. Turn on L2TP Server

Включаем L2TP Server

4. Set up three rules for the Firewall.
Устанавливаем три правила для Firewall

Устанавливаем три правила для Firewall

Устанавливаем три правила для Firewall

We have configured the server part, proceed further to setting up the client part (router)

Setting up the client's router

1. We create a new user profile, leave the default profiles unchanged.

Создаем новый профиль пользователя

Adding a Protocol

Check the YES checkbox on the Use Encryption line

YES на строке Use Encription

2. Adding an L2TP Client Interface to PPP.

L2TP Client в PPP
L2TP Client в PPP

L2TP Client в PPP

L2TP Client в PPP

If the letter "R" appears at the customer service line, then everything is set up.

L2TP Client в PPP

To eliminate the Path MTU Discovering Black Hole problem associated with large packet fragmentation (bad communication channel, many hops), you must do the following:

Path MTU Discovering Black Hole

Lower Max. in server settings. MTU up to 1350-1300. Set MRRU to 1600.

Max. MTU до 1350-1300

In the client settings, also specify MRRU 1600

I think it’s right to add this decision: so that you can access the client router from the server side through the tunnel, set a rule for port 8291.

Правило захода в клиентский роутер

Important: in order to ensure the passage of signals from one network to another from an external local network, you need to register a route on two routers. Otherwise, all this will not work and ping will only take place from the terminal of the router itself.

First, check the ping from the terminals of both routers to each other, then check the operability of passing packets from one network to another.

It is advisable to configure all this when you have both routers in your hands.

Настроенный роутер на VPN

Настроенный роутер на VPN

I had a need to configure the client part for two providers. An LTE modem was inserted + a local Ethernet cable was connected.

It's not easy to set everything up right away. Here is the article I used:

I express my personal gratitude to Alexander Polikushin ( for help in fine-tuning this solution!

#VPN, #L2TP, #Mikrotik, #PLC210, #OWEN

Be the first to comment

You comment add