Home / / IPsec Configuration

IPsec Configuration

Configuring IPsec on MikroTik (Site-to-Site) involves defining the security profile, creating a peer connection, setting up the policy for traffic, and configuring firewall rules. Ensure both routers have static IPs, NTP time is synchronized, and UDP ports 500/4500 are open in /ip firewall filter. 

Step-by-Step Configuration (Winbox)

1.    Create IPsec Profile (/ip ipsec profile)
•       Go to IP > IPsec > Profiles.
•       Click + (Add) and name it (e.g., site1-profile).
•       Set Hash Algorithm to sha256, Encryption to aes-256, and DH Group to modp2048 for modern security.

2.    Create IPsec Proposal (/ip ipsec proposal)
•       Go to IP > IPsec > Proposals.
•       Click + (Add) and name it (e.g., site1-proposal).
•       Set Auth. Algorithms to sha256 and Encr. Algorithms to aes-256-cbc.

3.    Create IPsec Peer (/ip ipsec peer)
•       Go to IP > IPsec > Peers.
•       Click + (Add) and name it.
•       Set Address to the remote router's public IP.
•       Set Profile to the one created in Step 1.
•       Ensure "Exchange Mode" is set (e.g., ike2).

4.    Configure Identities (PSK) (/ip ipsec identity)
•       Go to IP > IPsec > Identities.
•       Click +, select the peer from Step 3.
•       Set Auth Method to pre-shared key and enter a strong Secret (must match on both sides).

5.    Define IPsec Policy (/ip ipsec policy)
•       Go to IP > IPsec > Policies.
•       Click +, set Action to encrypt, Level to unique.
•       Set Src. Address to your local LAN subnet (e.g., 192.168.88.0/24).
•       Set Dst. Address to the remote LAN subnet (e.g., 192.168.99.0/24).
•       Enable Tunnel. 

6.    Firewall Exception (/ip firewall nat)
•       Go to IP > Firewall > NAT.
•       Add a new rule: Chain srcnat, Src. Address 192.168.88.0/24, Dst. Address 192.168.99.0/24.
•       Action: accept.
•       Important: Move this rule to the top (position 0) above your masquerade rule. 

Key Considerations
•       Version 7: The above steps work for ROS v6/v7, but ensure you use IKEv2 for better compatibility in v7.
•       NAT Traversal: Enable NAT Traversal in the peer settings if either router is behind a NAT device.
•       Verification: Check IP > IPsec > Active Peers to verify the connection.

IPsec Configuration IPsec Configuration Reviewed by RIO IT on 11:03 Rating: 5
Powered by Blogger.