diff --git a/components/lwip/CMakeLists.txt b/components/lwip/CMakeLists.txt
index 4485886153..3f7d520de8 100644
--- a/components/lwip/CMakeLists.txt
+++ b/components/lwip/CMakeLists.txt
@@ -132,12 +132,7 @@ if(CONFIG_LWIP_ENABLE)
             "lwip/src/netif/ppp/pppos.c"
             "lwip/src/netif/ppp/upap.c"
             "lwip/src/netif/ppp/utils.c"
-            "lwip/src/netif/ppp/vj.c"
-            "lwip/src/netif/ppp/polarssl/arc4.c"
-            "lwip/src/netif/ppp/polarssl/des.c"
-            "lwip/src/netif/ppp/polarssl/md4.c"
-            "lwip/src/netif/ppp/polarssl/md5.c"
-            "lwip/src/netif/ppp/polarssl/sha1.c")
+            "lwip/src/netif/ppp/vj.c")
     endif()
 
     if(NOT ${target} STREQUAL "linux")
@@ -160,6 +155,15 @@ if(CONFIG_LWIP_ENABLE)
             "apps/ping/ping_sock.c")
     endif()
 
+    if(NOT CONFIG_LWIP_USE_EXTERNAL_MBEDTLS)
+        list(APPEND srcs
+                "lwip/src/netif/ppp/polarssl/arc4.c"
+                "lwip/src/netif/ppp/polarssl/des.c"
+                "lwip/src/netif/ppp/polarssl/md4.c"
+                "lwip/src/netif/ppp/polarssl/md5.c"
+                "lwip/src/netif/ppp/polarssl/sha1.c")
+    endif()
+
     if(CONFIG_LWIP_DHCPS)
         list(APPEND srcs "apps/dhcpserver/dhcpserver.c")
     endif()
@@ -215,6 +219,10 @@ if(CONFIG_LWIP_ENABLE)
         idf_component_optional_requires(PRIVATE nvs_flash)
     endif()
 
+    if(CONFIG_LWIP_USE_EXTERNAL_MBEDTLS)
+        idf_component_optional_requires(PRIVATE mbedtls)
+    endif()
+
     if(${target} STREQUAL "linux")
         set(THREADS_PREFER_PTHREAD_FLAG ON)
         find_package(Threads REQUIRED)
diff --git a/components/lwip/Kconfig b/components/lwip/Kconfig
index 7e24e027e4..427d0e3d36 100644
--- a/components/lwip/Kconfig
+++ b/components/lwip/Kconfig
@@ -961,6 +961,17 @@ menu "LWIP"
         help
             Enable PPP debug log output
 
+    config LWIP_USE_EXTERNAL_MBEDTLS
+        bool "Use mbedTLS instead of internal polarSSL"
+        depends on LWIP_PPP_SUPPORT
+        depends on !LWIP_PPP_MPPE_SUPPORT && !LWIP_PPP_MSCHAP_SUPPORT
+        default n
+        help
+            This option uses mbedTLS crypto functions (instead of internal PolarSSL
+            implementation) for PPP authentication modes (PAP, CHAP, etc.).
+            You can use this option to address symbol duplication issues, since
+            the internal functions are not namespaced (e.g. md5_init()).
+
     menuconfig LWIP_SLIP_SUPPORT
         bool "Enable SLIP support (new/experimental)"
         default n
diff --git a/components/lwip/lwip b/components/lwip/lwip
index 3a3d1fb3e3..e8d0513898 160000
--- a/components/lwip/lwip
+++ b/components/lwip/lwip
@@ -1 +1 @@
-Subproject commit 3a3d1fb3e3bc23cf86cf653ce5928eda47e2c15d
+Subproject commit e8d0513898ce96d7851b41bc6acb7af3259a447b
diff --git a/components/lwip/port/include/lwipopts.h b/components/lwip/port/include/lwipopts.h
index 7d66f9c568..ff690ce8ab 100644
--- a/components/lwip/port/include/lwipopts.h
+++ b/components/lwip/port/include/lwipopts.h
@@ -1141,6 +1141,15 @@ static inline uint32_t timeout_from_offered(uint32_t lease, uint32_t min)
 #define PPP_SUPPORT                     0
 #endif  /* CONFIG_LWIP_PPP_SUPPORT */
 
+/**
+ * LWIP_USE_EXTERNAL_MBEDTLS: Use external mbed TLS library for crypto implementation used in PPP AUTH
+ */
+#ifdef CONFIG_LWIP_USE_EXTERNAL_MBEDTLS
+#define LWIP_USE_EXTERNAL_MBEDTLS 1
+#else
+#define LWIP_USE_EXTERNAL_MBEDTLS 0
+#endif
+
 /*
    --------------------------------------
    ---------- Checksum options ----------