Site-to-Site IPSec VPN using Mikrotik Routers


Some time ago i had a client that needed Site-to-Site IPSec VPN connection between 5 locations but ware not ready to pay for Cisco routers.

The solution was simple, I’m going to build a Miktorik Site to Site VPN with my favorite cheep but reliable routers, Mikrotik

They didn’t need any special requirements, on the main location they had a server with a application and a on the other locations they had a few PC’s that needed to contact the database on that server. I purchased 5 RB751G-2HnD routers and applyed this configuration.


Create list of addresses that will have full access to the router

/ ip firewall address-list 
add list=remote_access address=10.44.11.0/24 comment="Location 1" disabled=no 
add list=remote_access address=10.44.12.0/24 comment="Location 2" disabled=no 
add list=remote_access address=1.1.1.1/32 comment="Public IP From Location 1" disabled=no
add list=remote_access address=2.2.2.2/32 comment="Public IP From Location 1" disabled=no
add list=remote_access address=Public_IP/32 comment="My Piblic IP for Remote Control" disabled=no

Create rules to restrict unwanted traffic

/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections" disabled=no 
add chain=input connection-state=related comment="Accept related connections" disabled=no 
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" disabled=no 
add chain=input protocol=udp action=accept comment="UDP" disabled=no 
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" disabled=no 
add chain=input protocol=icmp action=drop comment="Drop excess pings" disabled=no 
add chain=input src-address-list=remote_access action=accept comment="Allow access to router from known network" disabled=no 
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else" disabled=no 
add chain=input action=drop comment="Drop everything else" disabled=no

Now let’s jump into Site-to-Site IPSec VPN rules

This rules are needed to skip sending traffic to the WAN interface and route the traffic trough the VPN connection

# Router 1 - Router 2
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.44.12.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=\
    2.2.2.2 sa-src-address=1.1.1.1 src-address=10.44.11.0/24 src-port=any tunnel=yes comment="IPSec VPN Skopje-Tabanovce"
/ip ipsec peer
add address=2.2.2.2/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
    generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey secret=Sp3d1c1jaVPN send-initial-contact=\
    yes comment="IPSec VPN Skopje-Tabanovce"
/ip firewall nat
add action=accept chain=srcnat comment="IPSec VPN Skopje-Kumanovo" disabled=no dst-address=10.44.12.0/24 src-address=10.44.11.0/24
# Router 2 - Router 1
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.44.11.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=\
    1.1.1.1 sa-src-address=2.2.2.2 src-address=10.44.12.0/24 src-port=any tunnel=yes comment="IPSec VPN Skopje-Tabanovce"
/ip ipsec peer
add address=1.1.1.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
    generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey secret=Sp3d1c1jaVPN send-initial-contact=\
    yes comment="IPSec VPN Skopje-Tabanovce"
/ip firewall nat
add action=accept chain=srcnat comment="IPSec VPN Skopje-Tabanovce" disabled=no dst-address=10.44.11.0/24 src-address=10.44.12.0/24

More on Mikrotik IPsec: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec



Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Neoudam
Neoudam
8 years ago

Hell My

so why when i setup site to site vpn with another network make my remote client l2tp ipsec discconnected bc i have difference peer and differnce PSK?

Ashioma Michael Osnon
Ashioma Michael Osnon
7 years ago

This is nice but would this not work without the filter rules you entered at the beginning? I asked because I did a similar setup without the rules and it worked well, that was before I found yours here by the way. See here https://www.timigate.com/2017/10/how-to-configure-site-to-site-ipsec-vpn.html?m=1

Advertisement