Mikrotik… need I say More?
Show MenuHide Menu

Mikrotik IPsec Site to Site VPN – HOW TO

March 10, 2013

IPsec Site to Site VPN Mikrotik Setup- HOW TO by Travis Kenner

This is going to be a shotgun setup example. I do not show how to setup Clients or DHCP servers on each Mikrotik for the LANs. This is just and example of setting up the IPsec so you may have to fill in the blanks. Hopefully this is enough to fill in the gaps with for an IPsec connection to make a Mikrotik Site to Site IPsec VPN Tunnel.
Enjoy 🙂


PLEASE NOTE: For any configuration examples please visit the Mikrotik Forums for help and support. There are some really knowledgeable people on the forums who will be able to help you with your individual setups.





PLEASE NOTE: You need NAT bypass rules for the IPsec negotiation. I will be updating the pictures to help more with visual clues and setup help. Also I will be clearing up any mistakes I have made in IP addresses or any other technical mistakes as well as putting pictures back in for IPsec Peer examples.

2 Rb750GL Mikrotik with Router OS 6.0rc11


Server Side Mikrotik Setup:



Setup IPSEC Firewall Rules to let IPSEC traffic through.
Setup a route from the Server to the Client Subnets
/ip route add comment=IPsec Traffic to Client disabled=no distance=1 dst-address= gateway= scope=30 target-scope=10 (Destination is the Clients Subnet and Gateway here is the Clients side  address).

Setup DHCP Server POOL and Network for if you want for LAN devices.
Don’t forget to create your NAT Masquerade for your Subnet devices.

Server Side Mikrotik IP Setup:
NOTE: WAN Address are FAKE yours will vary.


Server Side Mikrotik Routes:


Server Side Mikrotik IPsec Policy:



Src Address: The Server Mikrotik LAN Subnet
Dst Address: The Client Mikrotik LAN Subnet


SA Src Address: The Server MIkrotik WAN Address
SA Dst Address: The Clients Mikrotik WAN Address
For Proposal: Use default I setup my own proposal and called it Site2Site as I was using AES 256 and modp 4096 and didnt want to change the default setup proposal.


Server Side Mikrotik IPsec Peer Setup:



NOTE: The “Address” is the Client Side Mikrotik WAN Address:
I also used

Server Side Mikrotik IPsec Proposal:

NOTE: you can use 3DES and modp 1024 I used AES 256 and modp 4096 later on both IPsec peers on client and server.


NOTE: Also here you can use just AES 256 enc. and modp 4096 as long as it is the same on the client side.








Client Side Mikrotik Setup:
Client Mikrotik IP Address:


Don’t forget to create your NAT Masquerade for your clients.

Client Side Mikrotik IPsec Proposal:

NOTE: The above picture is for reference only. You may use 3DES for Enc and PFS Group modp 1024 but again I used AES 256 and modp 4096.


Client Side Mikrotik IPsec Peer:
Note: Now your Peer Address is the Servers Mikrotik WAN IP:


Client Side Mikrotik IPsec Policy:
Reverse addresses as we are now on the client and not server side.




NOTE: Again use default Proposal as I used my own named Site2Site.

IPSec Policy Client Side Summary:
Src Address: Client Mikrotik LAN Subnet
Dst Address: Server Mikrotik LAN Subnet

SA Src Address: Client Mikrotik WAN Address
SA Dst Address: Server Mikrotik WAN Address

NOW create a route to the server
/ip route add comment=IPsec Traffic to Server disabled=no distance=1 dst-address= gateway= scope=30 target-scope=10 (Destination is the Servers Subnet and Gateway here is the Servers sides LAN address!!!)


NOTE: You need to create NAT bypass rules for your IPsec negotiation and traffic flow

Client Side:
/ip firewall nat add chain=srcnat action=accept place-before=0 \ src-address= dst-address=

Server Side:
/ip firewall nat add chain=srcnat action=accept place-before=0 \ src-address= dst-address=

These rules are important as it will allow the traffic and connection to establish and stay. Make sure these NAT rules are at the top of your NAT lists on both server and client side.


Now create some traffic so that the IPsec will kick in and now the IPsec tunnel data should be encrypted such as pinging a machine from client side to server side.

Look at your IPsec “Installed SAs” TAB under IP | IPsec – on both Server and Client to view the keys and verify establishment. The “Current Bytes” under Installed SAs should be slowly climbing or incrementing if your IPsec tunnel has activity.

Congratulations you now have an IPsec Tunnel and are encrypting your traffic using IPsec with either 3DES or AES 256.


To get connection if changing settings make sure to FLUSH your the IPsec under Installed SAs TAB as sometimes this is needed. This may disconnect the server side or client side for a moment depending which side you are on. If the IPsec PEER and IPsec proposals mismatch on either side then your tunnel will go down. Also not having the NAT by pass rules will cause one side not to be able to reconnect after a FLUSH so make sure they are implemented.


I hope you enjoyed my Post on Mikrotik Site to Site IPsec setup.

Please leave a comment if you find a technical mistake that needs correction or updating.


Travis Kenner

August 31, 2016 at 1:22 pm

Setup a route from the Server to the Client Subnets
/ip route add comment=IPsec Traffic to Client disabled=no distance=1 dst-address= gateway= scope=30 target-scope=10 (Destination is the Clients Subnet and Gateway here is the Clients side address).

Is there a mistake? should it be gateway= instead?

December 1, 2014 at 9:54 am

Hello Travis,
I do all things link in our tuto but i can’t ping any lan (Client & server). Could you help me please.

April 1, 2014 at 8:11 am

Thanks for this excellent document……….see more example http://mikrotikroutersetup.blogspot.com

February 20, 2014 at 7:18 am

Dear Travis

Thanks for this excelent document, however after doing every step, I see no traffic between my routers, do I have to create a rule in the firewall to allow incoming ipsec connections?

Maybe I have to create the port in order to use it?

Thanks in advance.


    February 20, 2014 at 2:02 pm

    Hi Oscar
    Sorry I am not able to answer your questions right now. I am super busy at work. If you go to the mikrotik forums there are some really knowledgeable people who can help you out.


January 17, 2014 at 3:52 pm

a great article,I could connect juniper to mikrotik with ipsec,but i have one big problem,when tunnel is up,all of the clients in (Mikrotik Site) don’t have internet,even mikrotik.i don’t know really how can i resolve it?Please help me!

September 18, 2013 at 7:21 pm

Thank you. this tutorial helped me a lot.

July 15, 2013 at 3:43 am

Thx Travis for the info, and now I already success to configure VPN tunnel site to site for my office 🙂 but now i have another problem (always problem he..he..he..) did you know how to manage traffic inside VPN tunneling between two sites couse right now i have problem to manage all that traffic, example: someone from site A copying or FTP (download) some big file from site B and because of that make connection on two sides slowing down since the FTP used all the bandwidth i already prepare for that VPN tunnel, so my question is? is it possible we manage another bandtwith management inside on VPN tunneling between two sites and also it would be good if we can manage the bandwidth base on PORT usage

I’m so sorry my english just so bad 🙂

    July 18, 2013 at 2:25 pm


    For questios about VPN on Mikrotik please browse to the Mikrotik Forums where Mikrotik will be able to answer any questions you have.
    Then open the Forums where they will be able to answer any specific questions.


June 19, 2013 at 8:36 am

If you can get rough that a little cluster’ish GUI, configuration is quit straight forward :). Question is, is there an easy way witch such configuration to get ALL (web inculding) traffic trough such tunnel, so Client side can use Server sides internet resources or access resources limited to Server sides IP? In this config all traffic that is intended to goes to tunnel and every other to Clients side Internet?

    June 21, 2013 at 4:57 am

    Sorry your question / comment is a little confusing.

      June 26, 2013 at 7:42 am

      Yeah. Sorry about it. I will try to clarify a little.
      In example you provided traffic that is destinated to SERVER ( goes trough created Tunnel, but if CLIENT side user goes to Internet, such traffic is not tunneled and user gets external address, right? Is there a way to get that also internet (or any other) traffic is tunneled, so CLIENT can browse Internet (or access other Web based applications) using SERVER side external address
      If i still messed up with my question, please complain and i will try yet again (as you can guess, English is not my 1st language) 🙂

May 4, 2013 at 9:24 am

What if there are both sides on the same subnet, for example 192.168.1.x/24 LAN? I guess i need some kind of secondary network ( & but how to route this?

    May 9, 2013 at 4:25 pm

    I have not come across this personally. If this happens you have a few choices. You can change the subnet on either side to a different subnet. You can treat the both sides as a giant subnet and then logically divide the IPs between both sides. Example: Side one is – 100 Side 2 is – 254. You could also throw in a firewall between the two sides and route all traffic across it. There are lost of ways to do it. For more help I would suggest going to the MikroTik forums and asking in there. There are some really smart people in there.

March 19, 2013 at 12:31 am

thanks you so much….
This website really helped me in completing my assignment,
keren bro,,,, lanjutkan …

    March 19, 2013 at 2:01 am

    No Problem 🙂
    I will be updating this blog as there is more that needs to be set to make this fully work
    Keep checking back as in a few days I will update with NAT bypass rules for the IPsec negotiation and updates the screen shots. I may add the L2TP setup as well on the client side.


Leave a Reply

Your email address will not be published. Required fields are marked *

5 visitors online now
5 guests, 0 members
Max visitors today: 16 at 03:47 pm UTC
This month: 36 at 12-11-2017 02:39 am UTC
This year: 47 at 01-03-2017 08:06 pm UTC
All time: 47 at 01-03-2017 08:06 pm UTC