In this config guide, we will look at how to establish a Site-to-Site VPN between two Mikrotik routers.


Prerequisites: Each router can ping each their respective neighbour on their public-facing IP address (or have a route to reach it)

Firstly, let's set up some firewall rules so that each LAN can communicate with each other:

 

In this example, Workstation1 wants to communicate, via the IPsec tunnel, with Workstation3. With NAT rules present, this would not be successful.

 

To rectify this, we will add a simple firewall rule and place it before our default NAT masquerade rule:

 

Office1 Router

/ip firewall nat

add chain=srcnat action=accept place-before=0 \

src-address=10.1.202.0/24 dst-address=10.1.101.0/24 

 

Office2 Router

/ip firewall nat

add chain=srcnat action=accept place-before=0 \

src-address=10.1.202.0/24 dst-address=10.1.101.0/24

 

This will stop packets destined for the IPsec tunnel from having their source address encrypted

 

Another issue we may encounter after configuring our IPsec tunnel is Fasttrack. Fasttrack bypasses IPsec policies, so we need to create an explicit accept rule and place it before our Fasttrack rules in the firewall of each router:

 

/ip firewall filter

add chain=forward action=accept place-before=1 \

src-address=10.1.101.0/24 dst-address=10.1.202.0/24 \

connection-state=established,related

add chain=forward action=accept place-before=1 \

src-address=10.1.202.0/24 dst-address=10.1.101.0/24 \

connection-state=established,related

 

These rules will add significant load to the CPU if there is a fair amount of tunnels and significant traffic on each tunnel. The solution to this is to use RAW firewall tables. This bypasses connection tracking, that way eliminating the need to filter the rules listed above

 

/ip firewall raw

add action=notrack chain=prerouting src-address=10.1.101.0/24 dst-address=10.1.202.0/24

add action=notrack chain=prerouting src-address=10.1.202.0/24 dst-address=10.1.101.0/24

 

Now we can get to the main event, configuring the IPsec tunnel itself

 

First, we need to specify our remote peer, authentication method and secret. This is the bare minimum requirement to establish a Site-to-Site IPsec VPN but more parameters could be adjusted if required. In this example, we will use a pre-shared key of "test" which is inadvisable in real-world deployments

 

Office1 Router

/ip ipsec peer

add address=192.168.80.1/32 auth-method=pre-shared-key secret="test"

Office2 Router

/ip ipsec peer

add address=192.168.90.1/32 auth-method=pre-shared-key secret="test"

 

For IPsec VPN tunnels to successfully negotiate, each respective proposal must match. For this particular example, we will use the default proposal which will ensure a successful connection. 

 

We will now create an IPsec policy to link to the proposal:

 

Office1 Router

/ip ipsec policy

add src-address=10.1.202.0/24 src-port=any dst-address=10.1.101.0/24 dst-port=any \

sa-src-address=192.168.90.1 sa-dst-address=192.168.80.1 tunnel=yes \

action=encrypt proposal=default

Office2 Router

/ip ipsec policy

add src-address=10.1.101.0/24 src-port=any dst-address=10.1.202.0/24 dst-port=any \

sa-src-address=192.168.80.1 sa-dst-address=192.168.90.1 tunnel=yes \

action=encrypt proposal=default

 

You should now have a functional IPsec VPN tunnel

 

To verify, issue the following commands:

 

/ip ipsec 

remote-peers print

installed-sa print

 

You should see the tunnel is established and each router has created two Security Associations