IPsec Site to Site VPN Mikrotik Setup- HOW TO by Travis Kenner
This is going to be a shotgun setup example. I do not show how to setup Clients or DHCP servers on each Mikrotik for the LANs. This is just and example of setting up the IPsec so you may have to fill in the blanks. Hopefully this is enough to fill in the gaps with for an IPsec connection to make a Mikrotik Site to Site IPsec VPN Tunnel.
PLEASE NOTE: For any configuration examples please visit the Mikrotik Forums for help and support. There are some really knowledgeable people on the forums who will be able to help you with your individual setups.
PLEASE NOTE: You need NAT bypass rules for the IPsec negotiation. I will be updating the pictures to help more with visual clues and setup help. Also I will be clearing up any mistakes I have made in IP addresses or any other technical mistakes as well as putting pictures back in for IPsec Peer examples.
2 Rb750GL Mikrotik with Router OS 6.0rc11
Server Side Mikrotik Setup:
Setup IPSEC Firewall Rules to let IPSEC traffic through.
Setup a route from the Server to the Client Subnets
/ip route add comment=IPsec Traffic to Client disabled=no distance=1 dst-address=172.16.20.0/24 gateway=172.16.30.5 scope=30 target-scope=10 (Destination is the Clients Subnet and Gateway here is the Clients side address).
Setup DHCP Server POOL and Network for 172.16.30.0/24 if you want for LAN devices.
Don’t forget to create your NAT Masquerade for your 172.16.30.0/24 Subnet devices.
Server Side Mikrotik IP Setup:
NOTE: WAN Address are FAKE yours will vary.
Server Side Mikrotik Routes:
Server Side Mikrotik IPsec Policy:
Src Address: The Server Mikrotik LAN 172.16.30.0/24 Subnet
Dst Address: The Client Mikrotik LAN 172.16.20.0/24 Subnet
SA Src Address: The Server MIkrotik WAN Address 188.8.131.52
SA Dst Address: The Clients Mikrotik WAN Address 184.108.40.206
For Proposal: Use default I setup my own proposal and called it Site2Site as I was using AES 256 and modp 4096 and didnt want to change the default setup proposal.
Server Side Mikrotik IPsec Peer Setup:
NOTE: The “Address” is the Client Side Mikrotik WAN Address: 220.127.116.11
I also used
Server Side Mikrotik IPsec Proposal:
NOTE: Also here you can use just AES 256 enc. and modp 4096 as long as it is the same on the client side.
Client Side Mikrotik Setup:
Client Mikrotik IP Address:
Don’t forget to create your NAT Masquerade for your 172.16.20.0/24 clients.
Client Side Mikrotik IPsec Proposal:
Client Side Mikrotik IPsec Peer:
Note: Now your Peer Address is the Servers Mikrotik WAN IP: 18.104.22.168
Client Side Mikrotik IPsec Policy:
Reverse addresses as we are now on the client and not server side.
NOTE: Again use default Proposal as I used my own named Site2Site.
IPSec Policy Client Side Summary:
Src Address: 172.16.20.0/24 Client Mikrotik LAN Subnet
Dst Address: 172.16.30.0/24 Server Mikrotik LAN Subnet
SA Src Address: Client Mikrotik WAN Address 22.214.171.124
SA Dst Address: Server Mikrotik WAN Address 126.96.36.199
NOW create a route to the server
/ip route add comment=IPsec Traffic to Server disabled=no distance=1 dst-address=172.16.30.0/24 gateway=172.16.30.1 scope=30 target-scope=10 (Destination is the Servers Subnet and Gateway here is the Servers sides LAN address!!!)
NOTE: You need to create NAT bypass rules for your IPsec negotiation and traffic flow
/ip firewall nat add chain=srcnat action=accept place-before=0 \ src-address=172.16.20.0/24 dst-address=172.16.30.0/24
/ip firewall nat add chain=srcnat action=accept place-before=0 \ src-address=172.16.30.0/24 dst-address=172.16.20.0/24
These rules are important as it will allow the traffic and connection to establish and stay. Make sure these NAT rules are at the top of your NAT lists on both server and client side.
Now create some traffic so that the IPsec will kick in and now the IPsec tunnel data should be encrypted such as pinging a machine from client side to server side.
Look at your IPsec “Installed SAs” TAB under IP | IPsec – on both Server and Client to view the keys and verify establishment. The “Current Bytes” under Installed SAs should be slowly climbing or incrementing if your IPsec tunnel has activity.
Congratulations you now have an IPsec Tunnel and are encrypting your traffic using IPsec with either 3DES or AES 256.
To get connection if changing settings make sure to FLUSH your the IPsec under Installed SAs TAB as sometimes this is needed. This may disconnect the server side or client side for a moment depending which side you are on. If the IPsec PEER and IPsec proposals mismatch on either side then your tunnel will go down. Also not having the NAT by pass rules will cause one side not to be able to reconnect after a FLUSH so make sure they are implemented.
I hope you enjoyed my Post on Mikrotik Site to Site IPsec setup.
Please leave a comment if you find a technical mistake that needs correction or updating.