Skip to content
MikroTik RouterOS Docs

Site-to-Site VPN: Home Network to Cottage

Site-to-Site VPN: Home Network to Cottage

Section titled “Site-to-Site VPN: Home Network to Cottage”

This guide shows how to build a permanent encrypted tunnel between a home router and a cottage router, so both LANs can reach each other as if they were on the same network. Both sites are assumed to have consumer ISP connections — dynamic WAN IPs and upstream NAT are handled automatically by IPsec NAT traversal (NAT-T).

What you get after setup:

  • Devices at the cottage can reach home file servers, printers, and NAS by IP
  • Devices at home can reach cottage cameras, smart home gear, or remote desktops
  • All traffic between the two sites is encrypted (AES-256)

Prerequisites

Section titled “Prerequisites”
  • RouterOS 7.x on both routers (IKEv2 is stable; VTI is fully supported)
  • A DDNS hostname for at least one site — both sides can use DDNS
  • UDP 500 and UDP 4500 reachable inbound on both WAN interfaces
  • IP protocol 50 (ESP) permitted inbound — or NAT-T (UDP 4500) if one site is behind carrier NAT

Tip — carrier-grade NAT (CGNAT): If your ISP assigns a private WAN IP (100.64.x.x or 10.x.x.x), you cannot receive inbound connections. In that case, install a cheap VPS as a relay, or switch to a service with a public IP. One side with a public IP is sufficient — the CGNAT side initiates the tunnel.

Network Layout

Section titled “Network Layout”
HomeCottage
LAN subnet192.168.1.0/24192.168.2.0/24
WAN addressDynamic (DDNS: home.example.dyndns.org)Dynamic (DDNS: cottage.example.dyndns.org)

Adjust subnets and hostnames to match your setup.

Configuration

Section titled “Configuration”

This guide uses IKEv2 with a pre-shared key (PSK) — the simplest approach for two RouterOS routers you control. For certificate-based auth (stronger, no shared secret), see Certificate Authentication.

Home Router

Section titled “Home Router”
# Phase 1 — IKE SA (authentication + key exchange)
/ip ipsec profile
add name=home-cottage \
    hash-algorithm=sha256 \
    enc-algorithm=aes-256 \
    dh-group=modp2048 \
    dpd-interval=30s \
    dpd-maximum-failures=5 \
    nat-traversal=yes


/ip ipsec peer
add name=peer-cottage \
    address=cottage.example.dyndns.org \
    exchange-mode=ike2 \
    profile=home-cottage \
    send-initial-contact=yes


/ip ipsec identity
add peer=peer-cottage \
    auth-method=pre-shared-key \
    secret="Use-A-Long-Random-Secret-Here!"


# Phase 2 — IPsec SA (data encryption)
/ip ipsec proposal
add name=home-cottage \
    auth-algorithms=sha256 \
    enc-algorithms=aes-256-cbc \
    pfs-group=modp2048 \
    lifetime=8h


/ip ipsec policy
add src-address=192.168.1.0/24 \
    dst-address=192.168.2.0/24 \
    tunnel=yes \
    action=encrypt \
    proposal=home-cottage \
    peer=peer-cottage


# NAT bypass — must appear before any masquerade rule in the srcnat chain
/ip firewall nat
add chain=srcnat \
    action=accept \
    src-address=192.168.1.0/24 \
    dst-address=192.168.2.0/24 \
    comment="IPsec bypass: home to cottage"


# After adding, verify rule order with: /ip firewall nat print
# The bypass rule must have a lower number than any action=masquerade rule.
# If needed, move it: /ip firewall nat move [find comment="IPsec bypass: home to cottage"] destination=0


# Ensure the WAN interface-list exists (default RouterOS config includes it;
# on a clean/no-defaults install, create it first):
/interface list add name=WAN
/interface list member add list=WAN interface=<your-wan-interface>


# Allow IKE and ESP inbound
/ip firewall filter
add chain=input action=accept protocol=udp dst-port=500,4500 \
    in-interface-list=WAN comment="IPsec IKE/NAT-T"
add chain=input action=accept protocol=ipsec-esp \
    in-interface-list=WAN comment="IPsec ESP"

Cottage Router

Section titled “Cottage Router”

Mirror the home config with subnets and peer address reversed:

# Phase 1
/ip ipsec profile
add name=home-cottage \
    hash-algorithm=sha256 \
    enc-algorithm=aes-256 \
    dh-group=modp2048 \
    dpd-interval=30s \
    dpd-maximum-failures=5 \
    nat-traversal=yes


/ip ipsec peer
add name=peer-home \
    address=home.example.dyndns.org \
    exchange-mode=ike2 \
    profile=home-cottage \
    send-initial-contact=yes


/ip ipsec identity
add peer=peer-home \
    auth-method=pre-shared-key \
    secret="Use-A-Long-Random-Secret-Here!"


# Phase 2
/ip ipsec proposal
add name=home-cottage \
    auth-algorithms=sha256 \
    enc-algorithms=aes-256-cbc \
    pfs-group=modp2048 \
    lifetime=8h


/ip ipsec policy
add src-address=192.168.2.0/24 \
    dst-address=192.168.1.0/24 \
    tunnel=yes \
    action=encrypt \
    proposal=home-cottage \
    peer=peer-home


# NAT bypass — must appear before any masquerade rule in the srcnat chain
/ip firewall nat
add chain=srcnat \
    action=accept \
    src-address=192.168.2.0/24 \
    dst-address=192.168.1.0/24 \
    comment="IPsec bypass: cottage to home"


# After adding, verify rule order: /ip firewall nat print
# If needed, move it: /ip firewall nat move [find comment="IPsec bypass: cottage to home"] destination=0


# Allow IKE and ESP inbound (WAN interface-list must exist — see Home Router note above)
/ip firewall filter
add chain=input action=accept protocol=udp dst-port=500,4500 \
    in-interface-list=WAN comment="IPsec IKE/NAT-T"
add chain=input action=accept protocol=ipsec-esp \
    in-interface-list=WAN comment="IPsec ESP"

Why the NAT bypass rule is required

Section titled “Why the NAT bypass rule is required”

RouterOS applies the srcnat chain before the IPsec policy engine evaluates outgoing packets. Without a bypass rule, masquerade rewrites the source IP from 192.168.1.x to the WAN address before the IPsec policy selector (src=192.168.1.0/24) is checked — so the packet is sent unencrypted. The bypass action=accept in srcnat prevents masquerade from running on IPsec-bound traffic.

If you prefer a topology-independent rule that works regardless of subnet:

/ip firewall nat
add chain=srcnat action=accept ipsec-policy=out,ipsec \
    comment="IPsec bypass (all tunnels)"

After adding either form, verify the rule sits above any masquerade rule: /ip firewall nat print

Dynamic IP Handling

Section titled “Dynamic IP Handling”

NAT-T (nat-traversal=yes, the default) handles peers behind NAT automatically — ESP is wrapped in UDP/4500 when NAT is detected. Both peers can be behind their ISP’s NAT.

For dynamic WAN IPs, use DDNS hostnames in the address= field of /ip ipsec peer. RouterOS resolves the hostname when initiating the tunnel. If the remote IP changes, DPD (dpd-interval=30s) detects the dead peer and re-initiates, resolving the hostname again.

Recommended DDNS setup (on each router):

/ip cloud
set ddns-enabled=yes


# Use the assigned hostname: <id>.sn.mynetname.net
/ip ipsec peer
set peer-cottage address=<cottage-cloud-id>.sn.mynetname.net

Or use a third-party DDNS provider via /ip dns scripts.

Certificate Authentication

Section titled “Certificate Authentication”

Certificates eliminate the shared secret. If the PSK is ever compromised, an attacker could impersonate either router. With certificates, each router proves its identity with a private key that never leaves the device.

Clock sync required: IKEv2 validates certificate validity periods against the current time. If either router’s clock is more than a few minutes off, certificate authentication will silently fail with no useful log message. Before generating or importing certificates, verify NTP is working:

/system/ntp/client/print
/system/clock/print

If NTP is not configured: /system/ntp/client set enabled=yes servers=pool.ntp.org

Step 1 — Create a CA on one router (do this once)

Section titled “Step 1 — Create a CA on one router (do this once)”
# On the home router — generate CA
/certificate add name=vpn-ca common-name=vpn-ca key-size=2048 \
    key-usage=key-cert-sign,crl-sign days-valid=3650
# sign is a separate command under /certificate, not a continuation of add:
/certificate sign vpn-ca

Step 2 — Generate and sign router certificates

Section titled “Step 2 — Generate and sign router certificates”
# Home router certificate
/certificate add name=home-router common-name=home-router key-size=2048 \
    key-usage=tls-client,tls-server days-valid=1825
/certificate sign home-router ca=vpn-ca


# Cottage router certificate (generate on home, export, import on cottage)
/certificate add name=cottage-router common-name=cottage-router key-size=2048 \
    key-usage=tls-client,tls-server days-valid=1825
/certificate sign cottage-router ca=vpn-ca


# Export for transfer
/certificate export-certificate vpn-ca export-passphrase=""
/certificate export-certificate cottage-router export-passphrase="TempPassphrase"

Transfer cert_export_vpn-ca.crt, cert_export_cottage-router.crt, and cert_export_cottage-router.key to the cottage router, then import:

# On the cottage router
/certificate import file-name=cert_export_vpn-ca.crt passphrase=""
/certificate import file-name=cert_export_cottage-router.crt passphrase=""
/certificate import file-name=cert_export_cottage-router.key passphrase="TempPassphrase"

Step 3 — Update identities to use certificates

Section titled “Step 3 — Update identities to use certificates”
# Home router
/ip ipsec identity
set [find peer=peer-cottage] \
    auth-method=digital-signature \
    certificate=home-router \
    remote-certificate=cottage-router


# Cottage router
/ip ipsec identity
set [find peer=peer-home] \
    auth-method=digital-signature \
    certificate=cottage-router \
    remote-certificate=home-router

Verification

Section titled “Verification”

Check that the tunnel is established:

/ip ipsec active-peers print

Expected output shows the remote peer with state: established and non-zero rx-bytes/tx-bytes.

Check that SAs (Security Associations) exist for both directions:

/ip ipsec installed-sa print

You should see two entries — one inbound, one outbound — per tunnel.

Ping across the tunnel from a LAN device:

# From a home LAN device (192.168.1.x), ping a cottage LAN device (192.168.2.x)
ping 192.168.2.1

Troubleshooting

Section titled “Troubleshooting”

Tunnel not coming up (no active peers)

Section titled “Tunnel not coming up (no active peers)”

Check logs on both routers:

/log print where message~"ipsec"

“no suitable proposal found” — Phase 1 or Phase 2 crypto parameters do not match. Verify that hash-algorithm, enc-algorithm, and dh-group in /ip ipsec profile are identical on both sides, and that /ip ipsec proposal enc-algorithms, auth-algorithms, and pfs-group also match.

No log entries at all — neither side is initiating. Check that the peer address= resolves correctly:

/ip dns cache print
/ping cottage.example.dyndns.org

Tunnel up but no traffic passes

Section titled “Tunnel up but no traffic passes”

Verify the NAT bypass rule is in place and before the masquerade rule:

/ip firewall nat print

The bypass action=accept entry must have a lower rule number than any action=masquerade entry that matches WAN traffic.

Confirm the IPsec policy is matching traffic:

/ip ipsec policy print detail

The ph2-count field should increment when you send traffic across the tunnel. If it stays at zero, the traffic is not matching the policy — check that source and destination subnets in the policy exactly match the actual LAN subnets.

Check that IPsec-encrypted traffic is not being dropped by the forward chain:

/ip firewall filter print

Ensure there is no drop rule that blocks forwarded traffic between the two subnets.

Tunnel drops periodically

Section titled “Tunnel drops periodically”

Increase DPD tolerance or extend the Phase 2 lifetime:

/ip ipsec profile set home-cottage dpd-maximum-failures=10
/ip ipsec proposal set home-cottage lifetime=24h

If one side is behind carrier NAT, the NAT mapping may time out. Setting dpd-interval=20s keeps the UDP/4500 flow active.

One-way traffic only

Section titled “One-way traffic only”

This usually means the NAT bypass is missing or misordered on one router. Apply the fix to both sides and recheck installed-sa print for two-direction SAs.

See Also

Section titled “See Also”