Mikrotik, Site to Site VPN

A detailed description of the tunnel parameters can be found in a separate article.
 

Note:
176.53.182.35 – external IP-address of your Edge Gateway
10.10.10.0/24 – local network connected to your Edge Gateway
176.53.182.58 – external IP-address of your router Mikrotik
10.0.0.0/24 – local network connected to your Mikrotik


Connection setup is carried out in 2 stages.


Stage №1: Hardware Setup Mikrotik.
Stage №2: Configure Edge Gateway on a remote server.



Stage №1

On the tab «IP» in the drop down menu choose «IPsec» .
Choose the tab «Peers» and click «Add new» to add new connection.
 

 

In the window that opens, enter the following values:
Name - Connection name
Address – external IP-address your Edge Gateway
Local Address – external IP-address your router Mikrotik
Exchange Mode – IKE2
 


Go to the tab «Proposals» and click «Add new»
 


In the field "Name" specify the name:
Auth. Algorithms – choose sha256
Encr. Algorithms – tick  aes-256 cbc
PFS Group – choose  modp2048
 


Go to the tab «Identities» and click «Add new»
 

In the field «Peer» choose the earlier created connection. 
In the field «Auth. Method» choose the value pre shared key
In the field «Secret» enter a password for the connection. Please, write down the password. You will need it during the Stage #2.
In the field «Notrack Chain» choose the value prerouting
 


Go to the value «Policies» and click «Add new»
 


In the field «Peer» choose the earlier created connection. 
Tick the parameter«Tunnel».
«Src. Address» - local network address connected to your Mikrotik
«Dst. Address» - local network address connected to your Edge Gateway
In the field «Action» choose encrypt
In the field «Level» choose require
In the field «IPsec Protocols» choose esp
In the field «Proposal» choose the earlier created profile
 


Go to the tab «Profiles» and click on «default»
 


Change the settings to the following values
Hash Algorithms – sha256
Encryption Algorithm – aes-256
DH Group - modp2048
 


Go to the sub menu «Firewall» to the tab «Filter Rules» and click «Add New»
 


In the field «Chain» choose the value forward
In the field «Src. Address» enter the local network address connected to your  Edge Gateway
In the field «Dst. Address» enter the local network address connected to your Mikrotik 
On the tab «Action» choose the value accept 

 
 


Repeat the steps to add the rule to Firewall, but in «Src. Address» enter the local network address connected to your Mikrotik, in «Dst. Address»  enter the local network address connected to your Edge Gateway.
 


Go to the tab «NAT» and click «Add New» to choose a new rule.
 


In the field «Chain» choose the value forward
In the field «Src. Address» enter the local network address connected to your Mikrotik
In the field «Dst. Address» enter the local network address connected to your Edge Gateway


 

Choose another rule. Change the values of «Src. Address» and «Dst. Address». 
The result should be two “mirror" rules.
 


Go to the tab «RAW» and click «Add New» 


In the field «Chain» choose the value prerouting
In the field «Src. Address» enter the local network address connected to your Mikrotik
In the field «Dst. Address» enter the local network address connected to your Edge Gateway

 

Create one more rule, where in the field «Src. Address» enter the local network address connected to your Edge Gateway, and in the field «Dst. Address» enter the local network address connected to your Mikrotik.
The result should be two “mirror" rules.
 

 

Stage №2


Go to your personal account and select the desired Datacenter.
 .

In the menu «Networking» choose the sub menu «Edges»
 

Select your connection and click CONFIGURE SERVICES
 

In the window that opens, go to the "VPN" tab.
Chose the sub tab «IPsec VPN» and go to the sub menu «IPsec VPN Sites»
Click «+» to set up the connection.
 

 

In the window that appears, move the “Enabled” slider to the active state, “Enable perfect forward secrecy (PFS)” must be disabled, because. when this option is enabled, problems are observed, the tunnel may fall, we recommend disabling PFS.In the field «Name» enter the name of your connection.
In the field «Local Id» и «Local Endpoint» enter external IP-address to your Edge Gateway 
In the field «Local Subnets» enter the local network address connected to your Edge Gateway
 


In the field «Peer Id» и «Peer Endpoint» enter external IP-address to your router Mikrotik
In the field «Peer Subnets» enter the local network address connected to your Mikrotik.
 



Choose the following settings:
Encryption Algorithm – AES256
Authentication – PSK
In the field «Pre-Shared Key» enter the password (that you wrote down). You have already entered it in the Mikrotik settings in the field «Secret». 

 


Choose the following settings:
Diffie-Hellman Group – DH14
Digest Algorithm – SHA-256
IKE Option – IKEv2
Session Type – Policy Based Session

Click «Keep» to save the changes.
 


Go to the tab «Activation Status» and activate «IPsec VPN Service Status»

Have you tried Virtual cloud servers by Cloud4Y? Not yet? 

 

Leave a request and get a 10-day free trial. 

 

Смотреть подробности   

 

  • 58 Users Found This Useful
Was this answer helpful?

Related Articles

Site-to-Site VPN settings between Edge gateway and Juniper SRX

Scheme: How it works. A detailed description of the tunnel parameters can be found in a...

Site to Site IPsec Policy Based VPN between Edge Gateway and Mikrotik. Dual WAN (two providers)

This tutorial describes the Site to Site IPsec VPN configuration scenario between Cloud4Y (Edge...

Fault-tolerant VTI over IPSec configuration with EDGE Gateway

Before you start GRE tunneling technology was added in NSX 6.4. This technology is implemented...

VPN connection reservation

One client contacted us with a request to provide a VPN tunnel reservation between the office and...

IPSec Site-to-Site VPN Settings Supported by Edge Gateway (vCloud Director v 9.7)

This table lists the IPSec S2S VPN tunnel parameters for vCloud Director version 9.7. Parameters...