01 - 453 3025, 0909 550 6133
info@truennetworks.com

Mikrotik Site to Site IP Sec VPN How To

vpntunnel

Mikrotik Router is a cost effective network hardware that offers great networking features one of which is VPN. You can connect two remote offices that are worlds apart using secure VPN tunnel over the internet.
This tutorial will guide you on how to achieve that and your must have static public IP address at both ends even though it can also be achieved with a dynamic IP at one end.
Our configuration is based on the network diagram below.
The two sites are connected to the Internet with public IP address provided by the different ISPs at both ends.
The aim of this configuration is to allow users at the branch office to connect to servers and applications at the head office over IP Sec VPN Tunnel configured with Mikrotik Routers at both locations.

Site to site IP sec VPN connection

IP address Configuration at HQ_RT:

[admin@HQ_RT]/ip address
Add address=196.110.41.6/30 interface=ether2
Add address=172.27.1.1/24 interface=ether1
/ip route
Add gateway=196.110.41.5
/ip firewall nat
Add chain=srcnet out-interface=WAN action=masquerade

IP Address Configuration at Branch_RT:
[admin@Branch_RT]/ip address
Add address=41.72.102.42/30 interface=ether2
Add address=192.168.1.1/24 interface=ether1
/ip route
Add gateway=41.72.102.41
/ip firewall nat
Add chain=srcnet out-interface=WAN action=masquerade

Ip Sec Peer’s configuration:
Specify peers address, port and pre=shared-key

HQ_RT:
/ip sec peer
Add address=41.72.102.42/32:500 auth-method=pre-shared-key secret=”123456”

Branch_RT:
Add address=196.110.41.6/32:500 auth-method=pre-shared-key secret=”123456”

Policy and Proposal Configuration:
encrypt data coming from 192.168.1.0/24 to 172.27.1.0/24 and vice versa.

HQ_RT:
/ip ipsec policy
Add src-address=172.27.1.0/24:any dst-address=192.168.1.0/24:any sa-src-address=196.110.41.6 sa-dst-address=41.72.102.42 tunnel=yes action=encrypt proposal-default

Branch_RT:
Add src-address=192.168.1.0/24:any dst-address=172.27.1.0/24:any sa-src-address=41.72.102.42 sa-dst-address=196.110.41.6 tunnel=yes action=encrypt proposal-default

NAT Bypass Configuration:

HQ_RT:
/ip firewall nat
Add chain=srcnet action=accept place-before=0 src=address=172.27.1.0/24 dst-address=192.168.1.0/24

Branch_RT:
/ip firewall nat
Add chain=srcnet action=accept place-before=0 src=address=192.168.1.0/24 dst-address=172.27.1.0/24

Note: You will have to place the firewall rules at the top of all other NAT rules and clear connection table from existing connection or restart the routers.

We'd love to talk more with you about your needs and the solutions we offer. CLICK TO CONTACT US.

Truen Networks Limited - © 2017   |    All Rights Reserved.