/ip ipsec profileset [ find default=yes ] dh-group=modp1024 dpd-interval=disab

1. /ip ipsec profile
2. set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd \
3. enc-algorithm=aes-256 hash-algorithm=sha256
4. add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 \
5. hash-algorithm=sha256 name=my-ipsec-profile1
6. /ip ipsec peer
7. add name=my-ipsec-peer1 passive=yes profile=my-ipsec-profile1 \
8. send-initial-contact=no
9. /ip ipsec proposal
10. set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-128-gcm \
11. pfs-group=ecp256
12. add auth-algorithms=sha256 enc-algorithms=aes-128-gcm name=my-ipsec-proposal1
13. /ip pool
14. add name=dhcp ranges=192.168.88.10-192.168.88.254
15. add name=pool1-l2tp ranges=172.18.31.10-172.18.31.200
16. /ppp profile
17. set *0 local-address=192.168.1.15 remote-address=pool1-l2tp use-encryption=\
18. yes use-ipv6=no use-upnp=no
19.  
20. /interface l2tp-client
21. add add-default-route=yes allow=mschap2 connect-to=vpnxxxxxxxxx.softether.net \
22. disabled=no name=l2tp-out1 profile=my-profile1-encrypt use-ipsec=yes \
23. user=hehe@l2tpserv
24. /ip firewall filter
25. add action=accept chain=input comment=\
26. "defconf: accept established,related,untracked" connection-state=\
27. established,related,untracked
28. add action=drop chain=input comment="defconf: drop invalid" connection-state=\
29. invalid
30. add action=drop chain=input comment="defconf: accept ICMP" in-interface=\
31. all-ppp protocol=icmp
32. add action=accept chain=input comment=\
33. "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
34. add action=drop chain=input comment="defconf: drop all not coming from LAN" \
35. in-interface-list=!LAN
36. add action=accept chain=forward comment="defconf: accept in ipsec policy" \
37. ipsec-policy=in,ipsec
38. add action=accept chain=forward comment="defconf: accept out ipsec policy" \
39. ipsec-policy=out,ipsec
40. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
41. connection-state=established,related hw-offload=yes
42. add action=accept chain=forward comment=\
43. "defconf: accept established,related, untracked" connection-state=\
44. established,related,untracked
45. add action=drop chain=forward comment="defconf: drop invalid" \
46. connection-state=invalid
47. add action=drop chain=forward comment=\
48. "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
49. connection-state=new in-interface-list=WAN
50. add action=drop chain=input disabled=yes in-interface=pppoe-out1
51. add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=udp
52. /ip firewall nat
53. add action=masquerade chain=srcnat comment="defconf: masquerade" \
54. out-interface=pppoe-out1
55. /ip ipsec policy
56. add peer=my-ipsec-peer1 proposal=my-ipsec-proposal1 protocol=udp
57. /ppp secret
58. add local-address=192.168.1.15 name=hehe@l2tpserv profile=my-profile1-encrypt \
59. remote-address=172.18.31.103 service=l2tp
60. /system logging
61. add topics=l2tp
62.