MikroTik Site-to-Site IPsec Tunnel

[Andy]

Easy Guide on how to setup MikroTik Site-to-Site IPsec Tunnel

Update 22/06/2020: If you're using RouterOS v6.45 or above, please click here for the updated guide.

If one of MikroTik’s WAN IP address is dynamic, set up the router as the initiator (i.e. dial-out)

If you are working from WAN, don’t forget to enable Safe Mode.

Let’s go to Winbox -> IP -> IPsec -> Proposals, and this is the IPsec proposal I usually use:

It compatible with DrayTek Routers as well, see the picture below:

IPsec Policy

Let’s go to IP -> IPsec -> on Policies, click on + and on the Action tab, fill in the following:

<tick> Tunnel if it’s not ticked.
SA Src. Address: <WAN IP Address of this MikroTik> (this can be blanked, if this MikroTik has dynamic WAN IP address)
SA Dst. Address: <WAN IP Address of the other MikroTik>
Proposal: Select the proposal we created before (i.e. proposal-younameit)

Then click on General tab, and fill with the following:

Src. Address: <Internal LAN IP of this MikroTik>
Dst. Address: <Internal LAN IP of the other side>
<untick> Template if it’s ticked.

IPsec Peers
Now let’s go to peers tab to setup the other phase:

If the initiator has dynamic WAN IP, set Generate Policy = port strict on the responder side. Port strict will generate policies and use ports from the peer’s proposal, which should match the peer’s policy. This is also useful when remote peer’s IP address is unknown at the configuration time, basically allowing the peer to establish SA for non-existing policies.

Setup the same (just reverse the SRC/DST) on the other side of the tunnel, if your tunnel works, you will see on IPsec -> Installed SAs.

Last but not least, we need to setup a Firewall NAT rule that allows LAN IP in our MikroTik goes through the tunnel:

Instead of filling the LAN IP, the below Src. Address & Dst. Address please fill with network IP, for example: Src. 1.0.0.0/27 to Dst. 192.168.8.0/24

On the Action tab, set Action: accept.

Click Apply then OK and put this rule above the masquerade srcnat rule.

I hope this guide works for you, but if you have any question or comment please don’t hesitate to write down below, and I would happy to respond

 

[mariusbrouwe]

I had an IPsec tunnel working in the past but for some reason it doesn't work anymore. Can't really recall if anything has changed except for maybe the firmware version, but both ends now run 6.44. I am not able to ping from site1 to site2. The tunnel is up and I can see the amount of bytes increasing as I try to ping from site1 to site2 on both the IP -> IPsec -> Installed SA and IP -> Firewall -> Filter Rules -> accept out ipsec policy counters. Any idea why this isn't working?

 

[Andy]

@mariusbrouwe:
There is a known issue with RouterOS version 6.44, MikroTik staff confirmed that it will be fixed in the next version (ROS v6.44.1). For the meantime, I'd suggest downgrading to your last working ROS version, or switch to long-term update channel. Cheers.

Update:
I just checked MikroTik official and they have released RouterOS v6.44.1:

What's new in 6.44.1 (2019-Mar-13 08:38):

Changes in this release:

*) ...
*) ipsec - allow identities with empty XAuth login and password if RADIUS is enabled (introduced in v6.44);
*) ipsec - fixed dynamic L2TP peer and identity configuration missing after reboot (introduced in v6.44);
*) ipsec - use "remote-id=ignore" for dynamic L2TP configuration (introduced in v6.44);
*) ...

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

Quite numbers of IPsec fixes, try upgrading to v6.44.1 and see if it solve your issue

 

[TemplarLord]

Hi Andy,

great and easy to follow tutorial for IPsec for MikroTik/RouterOS devices.
I followed everything and have a working IPsec tunnel. Unfortunately both of my sites have dynamic IP addresses, so the tunnel only works while the site has the same public IP address until it changes.
As I see it, the only issue is that you can't specify a hostname in the sa-dst-address field in IPsec policy.
Can you give me some guideance?

Thanks,
Mario

 

[Andy]

Hi Andy,

great and easy to follow tutorial for IPsec for MikroTik/RouterOS devices.
I followed everything and have a working IPsec tunnel. Unfortunately both of my sites have dynamic IP addresses, so the tunnel only works while the site has the same public IP address until it changes.
As I see it, the only issue is that you can't specify a hostname in the sa-dst-address field in IPsec policy.
Can you give me some guideance?

Thanks,
Mario

Hi Mario, is yours a site-to-site IPsec or a dial-in VPN on demand?

 

[mariusbrouwe]

I installed update 6.44.1 but that didn't solve anything... I then decided to downgrade to 6.42.12 (long-term), but unfortunately that didn't help either. The PH2 State is established but the SPI byte counter is only counting on site1 when pinging from site1 to site2. Any additional thoughts?

 

[Andy]

I installed update 6.44.1 but that didn't solve anything... I then decided to downgrade to 6.42.12 (long-term), but unfortunately that didn't help either. The PH2 State is established but the SPI byte counter is only counting on site1 when pinging from site1 to site2. Any additional thoughts?

Remove your IPsec phase 2 rule and set port-override on your phase 1 configuration, that should fix the issue

 

[TemplarLord]

Hi Mario, is yours a site-to-site IPsec or a dial-in VPN on demand?

We're talking about a site-to-site IPsec VPN.

 

[Andy]

We're talking about a site-to-site IPsec VPN.

Same with above, try removing your IPsec phase 2 rule and set port-override. Then go to your phase 1 configuration, fill the SA Src. Address with 0.0.0.0

 

[egads]

Hi Andy, could you help update the method for 6.44.6? It seems they have removed the Advanced and Encryption options in IPsec Peers menu.

Also, what do you mean by this one:
"If one of MikroTik’s WAN IP address is dynamic, set up that router as the initiator (i.e. dial-out)"
I thought for IPsec tunnel, there are no dial-out? Set up the correct ip address for both sides, then it will automatically establish?

 

[Andy]

Hi Andy, could you help update the method for 6.44.6? It seems they have removed the Advanced and Encryption options in IPsec Peers menu.

Also, what do you mean by this one:
"If one of MikroTik’s WAN IP address is dynamic, set up the router as the initiator (i.e. dial-out)"
I thought for IPsec tunnel, there are no dial-out? Set up the correct ip address for both sides, then it will automatically establish?

Hi @egads,

I think v6.44.6 still using the same way with 6.44.1 -- have you tried my answer to @mariusbrouwe and @TemplarLord?

Can you elaborate more about your issue?

Regarding your second question, in MikroTik site-to-site IPsec, there's no initiator or receiver, so if the other end's router is a non-MikroTik one, set that router as the initiator.
In other hand if both end router is MikroTik, as long as the phase 1 and phase 2 matches, the IPsec tunnel will be established.

 

[egads]

It's these. When adding a new peer, these things are not present.
But I think I found it, did they move it to IPsec > profile and IPsec > identity?

Understood regarding the second question.

One question though, let's say site A has a dynamic IP, and site B has a static IP. What should be put into the IPsec>Policy, SA dst address in site B? Because a DDNS name is not accepted by mikrotik. Should it be just 0.0.0.0/0?

 

[Andy]

View attachment 144

It's these. When adding a new peer, these things are not present.
But I think I found it, did they move it to IPsec > profile and IPsec > identity?

Understood regarding the second question.

One question though, let's say site A has a dynamic IP, and site B has a static IP. What should be put into the IPsec>Policy, SA dst address in site B? Because a DDNS name is not accepted by mikrotik. Should it be just 0.0.0.0/0?

Excellent pick up you got there, just checked mine, and you're right. They moved to the IPsec -> Identities tab now, check the screenshot below for your reference:

Regarding your second question, that's also correct, putting 0.0.0.0/0 on the SA dst address means the router will accept all connection regardless of their IP address.

100 points for you @egads

 

[egads]

Thanks for checking, it does indeed work like that now.

No dice i'm afraid on the 0.0.0.0 on the SA dst address. A warning sign pops up saying that it expects an IP address.

 

[Andy]

Is that on the Policies tab or Peers tab?
The Peers tab describes your other end's WAN IP
While the Policies tab describes your other end's LAN IP

If you want to accept all IPs, you can try using:

::/0

 

[egads]

It's the Policies tab:

Putting in ::/0 does the same thing. Funny thing is, the template has 0.0.0.0 and it will accept it. Problem is, if Template is selected, the Tunnel option is gone. I guess I need to resort to scripts or find another way for dynamic ip site-to-site.

 

[Andy]

Have you defined the other end's LAN network?
Your Winbox layout is a bit different than mine, are you using the latest Winbox version (I'm currently using v3.21-x64)

And here's one of my established IPsec -> Policies tab:

On the IPsec -> Peers tab, you can fill with ::/0 if you want to accept all IPsec connection regardless their source IP address.

 

[egads]

I found the issue, I'm still on 6.44.6 long term, and it seems on the latest 6.45.8, they changed the concept. I'm a bit worried about touching a running system, so I always held back on updating.

Now the SA addresses are pulled from the peer, not defined in the policy itself. Since the peer accepts a DDNS addres, this should work (haven't tested though).

I hope they communicated concept changes in a separate changelog, and according to the separate packages .

 

[Andy]

Hi @egads,

Most of our core routers are still on v6.44.5 and v6.44.6 too. We haven't found any reason to upgrade them at this point.

Only some of our client routers have upgraded to v6.45.8

If the peer accepts DDNS address, I think that's good because previously we'd need to specify an IP address (which can be problematic if the other's end has a dynamic IP) making us need to accept all IP address which is a 0.0.0.0/0 or ::/0

As of today, the latest version on the long-term tree is v6.45.8

You can check the changelogs here:

MikroTik

MikroTik makes networking hardware and software, which is used in nearly all countries of the world. Our mission is to make existing Internet technologies faster, more powerful and affordable to wider range of users.

mikrotik.com

Cheers

 

[egads]

Thanks Andy, I can confirm that using a DDNS name works in Peers, in version 6.45.8.

Though I observe that in the log, sometimes the responder will terminate the connection for some reason, thus needing to re-establish the tunnel.