Learn How To Create An IPSEC Site To Site VPN Between Two Mikrotik Routers
In this tutorial, you will learn how to create a SITE-TO-SITE IPSEC VPN between two Mikrotik routers that are located in geographically seperate networks. This will be a full IPSEC VPN SITE TO SITE setup that allows client devices on both end points to communicate wth each otheras if they are on the same network. IPsec is a group of protocols that are used together to set up encrypted connections between devices. It helps keep data sent over public networks secure. IPsec is often used to set up VPNs, and it works by encrypting IP packets, along with authenticating the source where the packets come from.Within the term “IPsec,” “IP” stands for “Internet Protocol” and “sec” for “secure.” The Internet Protocol is the main routing protocol used on the Internet; it designates where data will go using IP addresses. IPsec is secure because it adds encryption* and authentication to this process. To watch the video tutorial, play the video at the top of this page or click on the button below.
In order to complete this tutorial the following is a list of items that may be needed or required. Please ensure to have these items available before taking implementation action on this tutorial to ensure success:
1) A desktop or laptop with atleast 4GB RAM, a dual core processor and 50GB of free disk space
2) The WINBOX tool for configuring mikrotik routers
3) Two MIKROTIK routers with each router connected to a different network or MIKROTIK CHR with PUBLIC STATIC IP ADDRESSES configured on the WAN interfaces
4) A static public IP address configured on each router
5) Oracle VM Virtual 6.1 or any newer version
1) IPSEC site to site VPN network diagram
2) Download the MIKROTIK cloud hosted router from the mikrotik website
3) Import two MIKROTIK CHR virtual machines into VIRTUALBOX
4) Start the MIKROTIK virtual machines and complete the basic configuration in QUICKSET
5) Configure an IPSEC VPN connection between the two routers and test connectivity.
IPSEC SITE TO SITE VPN NETWORK DIAGRAM
BELOW is a diagram that illustrates two MIKROTIK routers being used as edge devices on two seperate networks. The routers are in two different locations with the first in NORTH VIRGINIA and the second in OREGON. The NORTH VIRGINIA router has a WAN IP ADDRESS of 192.168.57.210 and its LAN address is 192.168.20.1. Client devices connect directly to the router and obtain IP addresses from a DHCP range of 192.168.20.10 – 192.168.20.100.
The OREGON mikrotik router has a WAN IP address of 192.168.57.200 and its LAN address is 192.168.10.1. Client devices connect directly to the router and obtain IP addresses from a DHCP range of 192.168.10.10 – 192.168.10.100
The two routers have an IPSEC TUNNEL configured that allows client devices on the OREGON router to have direct access to the N.VIRGINIA network and vice versa such that devices can communicate as if they are on the same network.
STEP 1: DOWNLOAD THE MIKROTIK CLOUD HOSTED ROUTER
1) Click HERE to go to the MIKROTIK software downloads page. Scroll down to the CLOUD HOSTED ROUTER section, expand and click on the SAVE icon on the .OVA format option.
2) Click HERE to go to the MIKROTIK software downloads page. Scroll down to the CLOUD HOSTED ROUTER section, expand and click on the SAVE icon on the .OVA format option.
STEP 2: Import two MIKROTIK CHR virtual machines into VIRTUALBOX
3) Once the download is complete, right click on the MIKROTIK.OVA file and click on OPEN WITH > VIRTUALBOX. On the APPLIANCE SETTINGS page, ensur the the IMPORT HARD DRIVES as VDI check box is checked and click on IMPORT.
4) Once the IMPORT process is complete, right click on the virtual machine and click on SETTINGS. On the GENERAL tab, change the NAME of the virtual router to MIKROTIK OREGON (or any other name that you would like) then click on the NETWORK tab.
Attach ADAPTER 1 to the HOST ONLY ADAPTER and select VBOXNET1 on the name drop down menu. Click on ADVANCED set PROMISCUOUS MODE to ALLOW ALL.
5) Attache ADAPTER 2 to the INTERNAL NETWORK interface, leave the default NETWORK NAME as it is then click on ADVANCED > PROMISCOUS MODE and select ALLOW ALL
6) Next,import a second MIKROTIK virtual machine by repeating STEP 3 TO STEP 6 and ensure you name the router MIKROTIK N.VIRGINIA (or any other different name that you would like)
STEP 3: START THE VIRTUAL MACHINES AND COMPLETE THE BASIC CONFIGURATION USING QUICKSET.
7) Right click on the MIKROTIK OREGON virtual machine and click on START > NORMAL START. Once the virtual machine starts up login into to the terminal interface using the username “admin” and a blank password then run the following command to set an IP address on the ETHER1 interface:
ip address add address=192.168.57.200/24 interface=ether1
8) Next, open the WINBOX application , click on the NEIGHBOURS tab and double click on the IP ADDRESS for the MIRKOTIK OREGON router. Type “admin” on the LOGIN input field, leave the password field blank and click on the CONNECT button.
9) Once you have logged into the router, click on QUICKSET and on the INTERNET section, click on the STATIC radio button. On the GATEWAY input box, type 192.168.56.1 (or your INTERNET GATEWAY ADDRESS) and set DNS SERVERS to 18.104.22.168
On the LOCAL NETWORK section set the IP ADDRESS to 192.168.10.1 set the NETMASK option to 255.255.255.0 (/24) and click on the BRIDGE ALL LAN PORTS check box. Click on the DHCP SERVER check box and on the DHCP SERVER RANGE enter “192.168.10.10-192.168.10.100” then click on the NAT check box.
Scroll down to the ROUTER IDENTITY section and set the identity of the router to MIKROTIK-OREGON. Click on APPLY and click on OK.
10) The final step in the ROUTER basic configuration and to set a password for the router. Click on SYSTEM > PASSWORD. Leave the old password field blank and type in a new password on the appropriate fields. Click on APPLY then click on OK.
Repeat STEP 7 – STEP 10 to configure the MIKROTIK N.VIRGINIA router but ensure that you set the ROUTER IDENTITY to MIKROTIK N.VIRGINIA. Set the IP ADDRESS to 192.168.57.210 and the LAN ADDRESS to 192.168.20.1
STEP 4: Configure an IPSEC VPN connection between the two routers and test connectivity.
11) Start configuring IPSEC on the MIKROTIK N.VIRGINIA router. To configure the IPSEC VPN, click on IP > IPSEC > PROFILE. Click on the add “+” button at the top to open the NEW IPSEC PROFILE creation window. Set the name of the profile to N.VIRGINIA-PROFILE and set the HAS ALGORITHMS option to SHA256. Leave the PRF ALGORITHMS option on AUTO and set the ENCRYPTION ALGORITHM to AES-256. Set the DH-GROUP (DEFFIE HELLMAN GROUP) to MODP2048, set PROPOSAL CHECK to OBEY and ensure that the NAT TRAVERSAL check box is checked.
Click on APPLY then click on OK.
12) Click on the PEERS tab and click on the ADD “+” button to open the NEW IPSEC PEER window. Set the name of the PEER to N.VIRGINIA PEER and enter the IP ADDRESS of the MIKROTIK OREGON router on the ADDRESS field. Enter the IP ADDRESS of the MIKROTIK N.VIRGINIA router on the LOCAL ADDRESS field, select the N.VIRGINIA-PROFILE that you created in the previous step on the PROFILE dropdown then click on the SEND INITIAL_CONTACT checkbox.
Click on APPLY and click on OK.
13) Next, click on the IDENTITIES tab and click on the ADD “+” button to open the NEW IPSEC IDENTITY window. Select the PEER that you created in the previous step on the PEER dropdown and set the AUTH. METHOD to PRE SHARED KEY. Enter a password on the SECRET password field then click on APPY and OK
14) Click on the PROPOSAL tab and click on the ADD “+” button to open the NEW IPSEC PROPOSAL window. On the NAME field type ” N.VIRGINIA-PROPOSAL” and select the SHA256 checkbox on the AUTH ALGORITHMS. Set the ENCR. ALGORITHMS to AES-256 CBC and the LIFETIME to 1d:00:00.
Set the PFS GROUP to MODP2048 then click on APPLY and click on OK.
15) The next step is to create an IPSEC POLICY that defines the traffic that you would like to send over the tunnel. Click on the POLICIES tab and click on the ADD “+” button to open the NEW IPSEC POLICY window. On the GENERAL tab select the N.VIRGINIA PEER and click on the TUNNEL check box. Set the SRC. ADDRESS (network where traffic will be originating from) which is 192.168.20.0/24 and the DST. ADDRESS (network where traffic should go to) which is 192.168.10.0/24.
Click on the ACTION tab and on the PROPOSAL drop down select the N.VIRGINIA proposal then click on APPLY.
16) The next step is to configure a NAT bypass rule that will allow VPN traffic to flow through the WAN interface on the MIKROTIK routers. To configure the rule, click on IP > FIREWALL and click on the NAT tab. Click on the “+” button at the top of the page to open the NEW FIREWALL RULE window.
Set the CHAIN to SRCNAT, enter the IP address of 192.168.20.0/24 on the SRC. ADDRESS field and the IP address of 192.168.10.0/24 in the DST. ADDRESS field. Click on the ACTION tab and set the ACTION option to ACCEPT then click on APPLY and click on OK.
17) You now need to repeat the configuration on the MIKROTIK OREGIN ROUTER from STEP 11 to STEP 16. Once you complete the configuration, the PH2 STATE of the IPSEC PROPOSAL should change to ESTABLISHED and you should also see an ACTIVE PEER on the ACTIVE PEERS tab as well as some entries on the INSTALLED SAs tab
18) To test connectivity between the two endpoints, click on TERMINAL on the MIKROTIK N.VIRGINIA router. We’l use the ping command to test reachability. Run the following command to test:
ping 192.168.10.1 src-address=192.168.20.1
The above command will ping the LAN address of the OREGON router from the MIKROTIK N.VIRGINIA LAN address. You should get ping replies as shown in the image below