Mikrotik Router IP Sec Site to Site VPN Tunnel Configuration




VPN sometime called VPN Tunnel,gives the engineer  two remote site a way to send a packet between two 
site with private ip address through the internet,Ipsec site-to-site vpn tunnel used to allow the secure transmission between to remote site .VPN provides privacy,encryption and verification that the sender legitimate.  
In this scenario two remote office router are connected to internet and office workstation behind routers are NAT ed.Each office has its own local network  192.168.1.0/24 for  site1 and 10.10.10.0/24 for site 2.both remote site needs secure tunnel to local networks behind routers.


IP address Configuration for mikrotikroutersite1:

[laxmi@mikrotikroutersetup.blogspot.com]/ip address
Add address=172.16.1.2/30 interface=WAN
Add address=192.168.1.1/24 interface=LOCAL
/ip route                                                                                             
Add gateway=172.16.1.1
/ip firewall nat
Add chain=srcnet out-interface=WAN action=masquerade


Mikrotikroutersite2 configuration:
[laxmi@mikrotikroutersetup.blogspot.com]/ip address
Add address=172.16.100.2/30 interface=WAN
Add address=10.10.10.1/24 interface=LOCAL
/ip route
Add gateway=172.16.100.1
/ip firewall nat
Add chain=srcnet out-interface=WAN action=masquerade

Ip Sec Peer’s configuration:
We need to specify peers address and port and pre=shared-key  and other are default value.


MikrotikRoutersite1:
/ip  sec peer
Add address=172.16.100.2/32:500 auth-method=pre-shared-key secret=”123456”

MikrotikRoutersite2:
Add address=172.16.1.2/32:500 auth-method=pre-shared-key secret=”123456”

Policy and proposal Configuration:
We want to encrypt data coming from 10.10.10.0/24 to 192.168.1.0/24 and vice versa.

MikrotikrouterSite1:
/ip ipsec policy
Add src-address=10.10.10.0/24:any dst-address=192.168.1.0/24:any sa-src-address=172.16.1.2 sa-dst-address=172.16.100.2 tunnel=yes action=encrypt proposal-default

MikrotikrouterSite2:
Add src-address=192.168.1.0/24:any dst-address=10.10.10.0/24:any sa-src-address=172.16.100.2 sa-dst-address=172.16.1.2 tunnel=yes action=encrypt proposal-default

NAT Bypass Configuration:

MikrotikrouterSite1:
/ip firewall nat
Add chain=srcnet action=accept place-before=0 src=address=192.168.1.0/24 dst-address=10.10.10.0/24

Mikrotikroutersite2:
/ip firewall nat
Add chain=srcnet action=accept place-before=0 src=address=10.10.10.0/24 dst-address=192.168.1.0/24
Placed at the top of all other NAT rules and clear connection table from existing connection or restart the routers.   
                       
         See Video Mikrotik Router IP Sec Site to Site VPN Tunnel Configuration