IPsec IKEv2 Site-to-Site VPN
IPsec IKEv2 Site-to-Site VPN
Section titled “IPsec IKEv2 Site-to-Site VPN”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”For the impatient: basic site-to-site IPsec VPN.
Site A (10.1.0.0/24) → Site B (10.2.0.0/24)
# Site A (initiator)/ip ipsec peer add address=203.0.2.1/32 exchange-mode=ike2 name=site-b/ip ipsec identity add peer=site-b secret=MySecretKey123 auth-method=pre-shared-key/ip ipsec policy add src-address=10.1.0.0/24 dst-address=10.2.0.0/24 tunnel=yes peer=site-b/ip firewall nat add chain=srcnat action=accept src-address=10.1.0.0/24 dst-address=10.2.0.0/24 place-before=0Verify:
/ip ipsec active-peers print/ip ipsec policy print detailOverview
Section titled “Overview”
What this does: IPsec creates encrypted tunnels between geographically separated networks over the public internet, enabling secure branch-to-headquarters connectivity.
When to use this:
- Branch office connectivity
- Secure inter-site communication
- Compliance requirements for encrypted data-in-transit
- Connecting cloud VPCs to on-premises networks
IPsec Components:
| Component | Purpose |
|---|---|
| Peer | Remote VPN endpoint configuration |
| Identity | Authentication credentials (PSK or certificate) |
| Policy | Traffic selectors (what to encrypt) |
| Profile | Phase 1 (IKE_SA) parameters |
| Proposal | Phase 2 (CHILD_SA) parameters |
Prerequisites:
- Public IP addresses on both endpoints (or NAT-T)
- UDP ports 500 and 4500 open
- Matching encryption settings on both sides
Configuration Steps
Section titled “Configuration Steps”
Site A (Initiator)
Section titled “Site A (Initiator)”Step 1: Create Peer
Section titled “Step 1: Create Peer”/ip ipsec peer add address=203.0.2.1/32 exchange-mode=ike2 name=site-bStep 2: Configure Authentication
Section titled “Step 2: Configure Authentication”/ip ipsec identity add peer=site-b secret=MySecretKey123 auth-method=pre-shared-keyStep 3: Define Traffic Selector
Section titled “Step 3: Define Traffic Selector”/ip ipsec policy add src-address=10.1.0.0/24 dst-address=10.2.0.0/24 tunnel=yes peer=site-bStep 4: Add NAT Bypass
Section titled “Step 4: Add NAT Bypass”Place this rule BEFORE any masquerade rules:
/ip firewall nat add chain=srcnat action=accept src-address=10.1.0.0/24 dst-address=10.2.0.0/24 place-before=0Site B (Responder)
Section titled “Site B (Responder)”Mirror the configuration with reversed addresses:
/ip ipsec peer add address=203.0.1.1/32 exchange-mode=ike2 name=site-a passive=yes/ip ipsec identity add peer=site-a secret=MySecretKey123 auth-method=pre-shared-key/ip ipsec policy add src-address=10.2.0.0/24 dst-address=10.1.0.0/24 tunnel=yes peer=site-a/ip firewall nat add chain=srcnat action=accept src-address=10.2.0.0/24 dst-address=10.1.0.0/24 place-before=0Custom Encryption Settings
Section titled “Custom Encryption Settings”Profile (Phase 1)
Section titled “Profile (Phase 1)”/ip ipsec profile add name=strong-profile \ dh-group=modp2048,modp1024 \ enc-algorithm=aes-256,aes-128 \ hash-algorithm=sha256Proposal (Phase 2)
Section titled “Proposal (Phase 2)”/ip ipsec proposal add name=strong-proposal \ enc-algorithms=aes-256-cbc,aes-128-cbc \ auth-algorithms=sha256,sha1 \ pfs-group=modp2048Apply to Peer
Section titled “Apply to Peer”/ip ipsec peer set site-b profile=strong-profile/ip ipsec policy set [find peer=site-b] proposal=strong-proposalMD5 Authentication
Section titled “MD5 Authentication”For additional session security:
/ip ipsec peer set site-b tcp-md5-key="auth-key-here"Both peers must use identical keys.
NAT Traversal
Section titled “NAT Traversal”When either endpoint is behind NAT:
/ip ipsec profile set [find] nat-traversal=yesVerification
Section titled “Verification”# Phase 1 status/ip ipsec active-peers print# Expected: STATE=established
# Phase 2 status/ip ipsec policy print detail# Expected: ph2-state=established
# Active security associations/ip ipsec installed-sa print# Look for: hw-aead=yes (hardware acceleration)
# Traffic statistics/ip ipsec statistics printTroubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Solution |
|---|---|---|
| Phase 1 fails “no proposal” | Algorithm mismatch | Align profile settings on both ends |
| Phase 1 OK, no traffic | Policy mismatch or missing NAT bypass | Check src/dst addresses mirror, add NAT bypass |
| Tunnel works then stops | NAT mapping timeout | Enable NAT-T: nat-traversal=yes |
| ”No matching identity” | Identity mismatch | Verify peer names and secrets match |
| Slow performance | Software encryption | Use AES-GCM, verify hw-aead=yes |
| FastTrack bypasses IPsec | FastTrack processes first | Add accept before FastTrack for VPN traffic |
Common Mistakes
- Don’t forget NAT bypass rule BEFORE masquerade
- Don’t mismatch src/dst addresses between sites (they must mirror)
- Don’t use weak encryption (avoid 3DES, MD5)
Related Topics
Section titled “Related Topics”- Firewall NAT - NAT bypass for IPsec
- GRE Tunnels - GRE over IPsec for dynamic routing
- OSPF - Dynamic routing over IPsec/GRE
Reference
Section titled “Reference”For additional MikroTik IPsec documentation, visit help.mikrotik.com