Andy

Administrator
Easy Guide on how to setup MikroTik Site-to-Site IPsec Tunnel

If one of MikroTik’s WAN IP address is dynamic, set up that router as the initiator (i.e. dial-out)

If you are working from WAN, don’t forget to enable Safe Mode.

Let’s go to Winbox -> IP -> IPsec -> Proposals, and this is the IPsec proposal I usually use:

01.png


It compatible with DrayTek Routers as well, see the picture below:

02.png


IPsec Policy

Let’s go to IP -> IPsec -> on Policies, click on + and on the Action tab, fill in the following:

03.png

<tick> Tunnel if it’s not ticked.
SA Src. Address: <WAN IP Address of this MikroTik> (this can be blanked, if this MikroTik has dynamic WAN IP address)
SA Dst. Address: <WAN IP Address of the other MikroTik>
Proposal: Select the proposal we created before (i.e. proposal-younameit)

Then click on General tab, and fill with the following:

04.png

Src. Address: <Internal LAN IP of this MikroTik
Dst. Address: <Internal LAN IP of the other side>
<untick> Template if it’s ticked.

IPsec Peers
Now let’s go to peers tab to setup the other phase:

05.png

06.png


If the initiator has dynamic WAN IP, set Generate Policy = port strict on the responder side. Port strict will generate policies and use ports from the peer’s proposal, which should match the peer’s policy. This is also useful when remote peer’s IP address is unknown at the configuration time, basically allowing the peer to establish SA for non-existing policies.

07.png


Setup the same (just reverse the SRC/DST) on the other side of the tunnel, if your tunnel works, you will see on IPsec -> Installed SAs.

Last but not least, we need to setup a Firewall NAT rule that allows LAN IP in our MikroTik goes through the tunnel:

Instead of filling the LAN IP, the below Src. Address & Dst. Address please fill with network IP, for example: Src. 1.0.0.0/27 to Dst. 192.168.8.0/24

08.png


On the Action tab, set Action: accept.

Click Apply then OK and put this rule above the masquerade srcnat rule.

I hope this guide works for you, but if you have any question or comment please don’t hesitate to write down below, and I would happy to respond 😃👍
 

mariusbrouwe

New member
I had an IPsec tunnel working in the past but for some reason it doesn't work anymore. Can't really recall if anything has changed except for maybe the firmware version, but both ends now run 6.44. I am not able to ping from site1 to site2. The tunnel is up and I can see the amount of bytes increasing as I try to ping from site1 to site2 on both the IP -> IPsec -> Installed SA and IP -> Firewall -> Filter Rules -> accept out ipsec policy counters. Any idea why this isn't working?
 

Andy

Administrator
@mariusbrouwe:
There is a known issue with RouterOS version 6.44, MikroTik staff confirmed that it will be fixed in the next version (ROS v6.44.1). For the meantime, I'd suggest downgrading to your last working ROS version, or switch to long-term update channel. Cheers.

Update:
I just checked MikroTik official and they have released RouterOS v6.44.1:

MikroTik official said:
What's new in 6.44.1 (2019-Mar-13 08:38):

Changes in this release:

*) ...
*) ipsec - allow identities with empty XAuth login and password if RADIUS is enabled (introduced in v6.44);
*) ipsec - fixed dynamic L2TP peer and identity configuration missing after reboot (introduced in v6.44);
*) ipsec - use "remote-id=ignore" for dynamic L2TP configuration (introduced in v6.44);
*) ...

To upgrade, click "Check for updates" at /system package in your RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download
Quite numbers of IPsec fixes, try upgrading to v6.44.1 and see if it solve your issue :)
 

TemplarLord

New member
Hi Andy,

great and easy to follow tutorial for IPsec for MikroTik/RouterOS devices.
I followed everything and have a working IPsec tunnel. Unfortunately both of my sites have dynamic IP addresses, so the tunnel only works while the site has the same public IP address until it changes.
As I see it, the only issue is that you can't specify a hostname in the sa-dst-address field in IPsec policy.
Can you give me some guideance?

Thanks,
Mario
 

Andy

Administrator
Hi Andy,

great and easy to follow tutorial for IPsec for MikroTik/RouterOS devices.
I followed everything and have a working IPsec tunnel. Unfortunately both of my sites have dynamic IP addresses, so the tunnel only works while the site has the same public IP address until it changes.
As I see it, the only issue is that you can't specify a hostname in the sa-dst-address field in IPsec policy.
Can you give me some guideance?

Thanks,
Mario
Hi Mario, is yours a site-to-site IPsec or a dial-in VPN on demand?
 

mariusbrouwe

New member
I installed update 6.44.1 but that didn't solve anything... I then decided to downgrade to 6.42.12 (long-term), but unfortunately that didn't help either. The PH2 State is established but the SPI byte counter is only counting on site1 when pinging from site1 to site2. Any additional thoughts?
 

Andy

Administrator
I installed update 6.44.1 but that didn't solve anything... I then decided to downgrade to 6.42.12 (long-term), but unfortunately that didn't help either. The PH2 State is established but the SPI byte counter is only counting on site1 when pinging from site1 to site2. Any additional thoughts?
Remove your IPsec phase 2 rule and set port-override on your phase 1 configuration, that should fix the issue 👍
 
Top