Mikrotik L2TP Auth Page Fix Guide

When your Mikrotik L2TP connection shows a provider authentication page despite being connected with status ‘R’, this typically indicates a routing, NAT, or timeout issue rather than a pure L2TP authentication failure. The problem often stems from connections dropping after certain time periods, followed by the router falling back to the provider’s captive portal authentication system, especially in double-NAT scenarios or when firewall rules interfere with the VPN tunnel.

Contents

• Understanding the Problem
• Common Causes of Authentication Page Appearance
• Firewall and NAT Configuration Issues
• Timeout and Connection Stability Settings
• DHCP vs L2TP Authentication Conflicts
• Step-by-Step Troubleshooting Approach
• Advanced Configuration Options

Understanding the Problem

The issue you’re experiencing where the Mikrotik L2TP connection shows status ‘R’ but then displays a provider authentication page is a common problem that typically occurs when the L2TP tunnel becomes unstable or partially functional. According to MikroTik community discussions, this often happens when the connection appears to be working but actually can’t properly route traffic through the tunnel.

Several users have reported similar issues where:

• The connection shows as running but web browsing stops working
• After a reboot, the connection works for a limited time (few minutes to 8 hours)
• The system falls back to showing the provider’s authentication portal
• This particularly affects setups with double-NAT configurations

The fact that you’re connecting through Deco M5 devices in AP mode adds complexity to the network topology, potentially creating multiple layers of NAT that can interfere with the L2TP tunnel’s functionality.

Common Causes of Authentication Page Appearance

Double-NAT Issues

As noted in the MikroTik forum discussions, L2TP/IPsec does not properly work over double-NAT in many cases. When your Mikrotik connects to Deco M5 devices in AP mode, you may have:

Internet → Provider Router → Deco M5 (AP mode) → Mikrotik → L2TP Provider

This creates multiple NAT layers that can cause the L2TP tunnel to become unstable, leading to the authentication page appearing as the system attempts to re-authenticate through the provider’s captive portal.

Firewall Rule Interference

The research findings show that improper firewall rules are a frequent cause of L2TP connection issues. Specifically:

• Missing masquerade rules for the L2TP interface
• Input firewall rules blocking L2TP/IPsec traffic
• NAT rules that interfere with the VPN tunnel

One user reported that after copying default firewall rules from RouterOS version 6.45.7, their connection issues were resolved.

Connection Timeouts and Drops

Multiple forum threads discuss L2TP connections dropping after specific time periods:

• 1-minute drops: Often related to keepalive settings
• 8-hour drops: The default maximum session timeout for Mikrotik L2TP/IPsec VPN users

When these timeouts occur, the connection may partially fail, causing the system to redirect users to the provider’s authentication page instead of maintaining the VPN tunnel.

Firewall and NAT Configuration Issues

Required Firewall Rules

Based on the research findings, here are the essential firewall rules that should be configured for L2TP/IPsec connections:

/ip firewall nat
add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"

/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"

These rules ensure that:

1. Traffic from the L2TP tunnel is properly masqueraded when going out to the internet
2. Established connections are allowed through the firewall
3. Invalid connections are dropped
4. ICMP traffic (important for network connectivity) is allowed

Interface Configuration

The L2TP server configuration should include proper authentication and timeout settings:

/interface l2tp-server server
set enabled=yes max-mtu=1450 max-mru=1450 mrru=disabled \
authentication=pap,chap,mschap1,mschap2 \
keepalive-timeout=30 max-sessions=unlimited \
default-profile=default-encryption use-ipsec=yes \
ipsec-secret=your-secret caller-id-type=ip-address

The keepalive-timeout: 30 setting is particularly important for maintaining connection stability.

Timeout and Connection Stability Settings

L2TP Session Timeouts

The research reveals that Mikrotik L2TP/IPsec VPN users have a default timeout of 8 hours. After this period, users get disconnected automatically. If you need longer sessions, you can modify this timeout.

Keepalive Configuration

To prevent the 1-minute drops mentioned in forum discussions, configure proper keepalive settings:

/interface l2tp-client
set [find name=your-l2tp-connection] \
use-ipsec=yes \
profile=default-encryption \
add-default-route=yes \
dial-on-demand=no \
disabled=no

Phase 1 and Phase 2 Timeouts

For IPsec connections, ensure proper timeout settings:

/ip ipsec peer
set [find address=provider-ip] \
exchange-mode=main \
send-initial-contact=yes \
lifetime=1h \
hash-algorithm=sha256 \
enc-algorithm=aes-256-cbc \
dh-group=modp2048

DHCP vs L2TP Authentication Conflicts

While your provider claims that authentication pages only appear via DHCP, the research shows that L2TP connections can indeed trigger captive portal behavior when they become unstable. This happens because:

1. Partial Connection: The L2TP tunnel may establish but fail to properly route traffic
2. Fallback Mechanism: When the VPN tunnel fails, the system may fall back to the provider’s standard authentication methods
3. DHCP Integration: Some providers integrate their authentication systems with DHCP, so even L2TP connection issues can trigger the authentication page

To resolve this conflict:

• Ensure your Mikrotik is not requesting DHCP from the provider when using L2TP
• Configure static IP assignments for the L2TP connection
• Verify that the L2TP interface has proper routing priority

Step-by-Step Troubleshooting Approach

Step 1: Verify L2TP Connection Status

Check the actual status of your L2TP connection:

/interface l2tp-client print
/interface print
/ppp secret print
/ip ipsec policy print

Look for any error messages or inconsistencies in the configuration.

Step 2: Test Without Double-NAT

Temporarily bypass the Deco M5 devices and connect the Mikrotik directly to the provider. If the authentication page issue disappears, the problem is related to the double-NAT setup.

Step 3: Check Firewall Rules

Compare your current firewall rules with the recommended ones from the research findings. Pay special attention to:

• NAT rules for the L2TP interface
• Input rules for IPsec traffic (UDP ports 500, 4500, 1701)
• Connection tracking rules

Step 4: Adjust Timeout Settings

Modify the keepalive and timeout settings to be more aggressive:

/interface l2tp-server server
set keepalive-timeout=15

Step 5: Test Authentication Methods

Try different authentication methods in your L2TP configuration:

• PAP, CHAP, MSCHAP1, MSCHAP2
• Different encryption algorithms
• Different IPsec proposals

Step 6: Monitor Connection Drops

Use the following command to monitor for connection drops:

/tool monitor-traffic interface=l2tp-client-1

Watch for patterns in when the connection fails.

Advanced Configuration Options

IPsec Proposal Optimization

Based on the research findings, optimize your IPsec proposal for better compatibility:

/ip ipsec proposal
set default-enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc
set default-hmac-algorithms=sha256,sha1

MTU and MSS Settings

Adjust MTU and MSS settings to handle potential fragmentation issues:

/interface l2tp-client
set [find name=your-connection] mtu=1400
/ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss \
new-mss=1360 comment="L2TP TCP MSS adjustment"

Alternative VPN Protocol

As a last resort, consider switching to SSTP VPN as mentioned in one of the forum discussions:

/interface sstp-client
add connect-to=provider-server user=username password=password \
profile=default-encryption

Some users reported that SSTP worked better than L2TP/IPsec in certain problematic scenarios.

Sources

1. MikroTik L2TP over IPSec troubleshooting - jcutrer.com
2. Troubleshooting L2TP/IPSec, can’t connect with some clients - MikroTik Forum
3. IPSEC/L2TP disconnect after one minute - MikroTik Forum
4. L2TP/IPSec vpn disconnects after a minute or so - MikroTik Forum
5. L2TP configuration - Timeout error - MikroTik Forum
6. Getting connection reset… How to solve it? - MikroTik Forum
7. L2TP is disconnect after every 8 hours - MikroTik Forum
8. VPN immediately disconnecting after authentication (Windows 10 client) - MikroTik Forum
9. L2TP+IPsec VPN with drops - MikroTik Forum
10. L2TP configuration - Timeout error - MikroTik Forum

Conclusion

The Mikrotik L2TP authentication page issue is typically caused by connection instability, firewall misconfiguration, or double-NAT problems rather than pure authentication failures. Based on the research findings, the most effective solutions involve:

1. Proper Firewall Configuration: Ensure you have the necessary masquerade and IPsec rules in place
2. Timeout Adjustment: Reduce keepalive timeouts to prevent the 1-minute and 8-hour drops
3. Double-NAT Resolution: Either bypass the Deco M5 devices or configure them to work properly with L2TP
4. Alternative Authentication Methods: Try different PPP authentication protocols and IPsec proposals
5. Network Monitoring: Use monitoring tools to identify when and why the connection fails

Start with the firewall rule adjustments and timeout modifications, as these have resolved similar issues for many users in the MikroTik community. If problems persist, consider testing with SSTP as an alternative VPN protocol or temporarily removing the double-NAT setup to isolate the issue.