Setting Mikrotik as IPSec Concentrator

This tutorial is on setting Mikrotik as IPSec concentrator. Road-Warriors will be able to establish secure IPSec connection using the ShrewSoft VPN client.

Setting Mikrotik IPSec parametars

Since Road-Warriors will connect from different locations we need to set peer with address and automatically generate polixy


/ip ipsec peer 
  add address= auth-method=pre-shared-key exchange-mode=main\
  secret=123456 hash-algorithm=md5 enc-algorithm=3des generate-policy=yes

Mikrotik IPSec Peer

Make sure that the default proposal has Authentication algorithm sha1 and Encryption algorithm 3des

Mikrotik IPSec Proposal


Setting ShrewSoft VPN Client

Put the Mikrotik router Public IP address in Remote Host and change the Local Host to Use existing adapter and current address

ShrewSoft Mikrotik VPN Configuration General

Disable NAT Traversal and IKE Fragmentation if you are not using NAT Traversal

ShrewSoft Mikrotik VPN Configuration Client

If you need WINS and Local DNS put it manually, otherwise disable this parameters

ShrewSoft Mikrotik VPN Configuration Name Resolution

Under Authentication set Authentication Method as Mutual PSK, Local Identity as IP Address and put the secret in Credential -> Pre Shared Key

ShrewSoft Mikrotik VPN Configuration Authenticaion Local ShrewSoft Mikrotik VPN Configuration Authentication Local

Set the Phase1 Parameters to match Mikrotik Peer configuration: main, group2, 3des, md5, 86400

ShrewSoft Mikrotik VPN Configuration Phase1

Set the Phase2 Parameters to match Mikrotik default proposal: esp-3des, sha1, group2, and change the Key Life Time limit to 1800 because in Mikrotik default proposal Lifetime is 00:30:00

ShrewSoft Mikrotik VPN Configuration Phase2

Finally we need to add the local network ( that we want to route trough the IPSec VPN connection.

ShrewSoft Mikrotik VPN Configuration Policy

That’s it! You have your 50$ IPSec VPN Concentrator without the need to buy additional licences or expensive routers.

Mikrotik Wiki
Shrew Soft