Home » Networking » Site-to-Site IPSec VPN using Mikrotik Routers

Site-to-Site IPSec VPN using Mikrotik Routers

Some time ago i had a client that needed Site-to-Site IPSec VPN connection between 5 locations but ware not ready to pay for Cisco routers.

So it was time to my favorite cheep but reliable solution Mikrotik. They didn’t need any special requirements, on the main location they had a server with a application and a on the other locations they had a few PC’s that needed to contact the database on that server. I purchased 5 RB751G-2HnD routers and applyed this configuration.

Create list of addresses that will have full access to the router

/ ip firewall address-list 
add list=remote_access address=10.44.11.0/24 comment="Location 1" disabled=no 
add list=remote_access address=10.44.12.0/24 comment="Location 2" disabled=no 
add list=remote_access address=1.1.1.1/32 comment="Public IP From Location 1" disabled=no
add list=remote_access address=2.2.2.2/32 comment="Public IP From Location 1" disabled=no
add list=remote_access address=Public_IP/32 comment="My Piblic IP for Remote Control" disabled=no

Create rules to restrict unwanted traffic

/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections" disabled=no 
add chain=input connection-state=related comment="Accept related connections" disabled=no 
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" disabled=no 
add chain=input protocol=udp action=accept comment="UDP" disabled=no 
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" disabled=no 
add chain=input protocol=icmp action=drop comment="Drop excess pings" disabled=no 
add chain=input src-address-list=remote_access action=accept comment="Allow access to router from known network" disabled=no 
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else" disabled=no 
add chain=input action=drop comment="Drop everything else" disabled=no

Now let’s jump into Site-to-Site IPSec VPN rules

This rules are needed to skip sending traffic to the WAN interface and route the traffic trough the VPN connection

# Router 1 - Router 2
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.44.12.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=\
    2.2.2.2 sa-src-address=1.1.1.1 src-address=10.44.11.0/24 src-port=any tunnel=yes comment="IPSec VPN Skopje-Tabanovce"
/ip ipsec peer
add address=2.2.2.2/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
    generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey secret=Sp3d1c1jaVPN send-initial-contact=\
    yes comment="IPSec VPN Skopje-Tabanovce"
/ip firewall nat
add action=accept chain=srcnat comment="IPSec VPN Skopje-Kumanovo" disabled=no dst-address=10.44.12.0/24 src-address=10.44.11.0/24
# Router 2 - Router 1
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.44.11.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=\
    1.1.1.1 sa-src-address=2.2.2.2 src-address=10.44.12.0/24 src-port=any tunnel=yes comment="IPSec VPN Skopje-Tabanovce"
/ip ipsec peer
add address=1.1.1.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
    generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey secret=Sp3d1c1jaVPN send-initial-contact=\
    yes comment="IPSec VPN Skopje-Tabanovce"
/ip firewall nat
add action=accept chain=srcnat comment="IPSec VPN Skopje-Tabanovce" disabled=no dst-address=10.44.11.0/24 src-address=10.44.12.0/24

About Nikola Stojanoski

System Administrator and Developer. Giving back to the community by blogging about my problems, solutions and practical howto's.