Site-to-Site VPN: Home Network to Cottage

Site-to-Site VPN: Home Network to Cottage

This guide shows how to build a permanent encrypted tunnel between a home router and a cottage router, so both LANs can reach each other as if they were on the same network. Both sites are assumed to have consumer ISP connections — dynamic WAN IPs and upstream NAT are handled automatically by IPsec NAT traversal (NAT-T).

What you get after setup:

• Devices at the cottage can reach home file servers, printers, and NAS by IP
• Devices at home can reach cottage cameras, smart home gear, or remote desktops
• All traffic between the two sites is encrypted (AES-256)

---

Prerequisites

• RouterOS 7.x on both routers (IKEv2 is stable; VTI is fully supported)
• A DDNS hostname for at least one site — both sides can use DDNS
• UDP 500 and UDP 4500 reachable inbound on both WAN interfaces
• IP protocol 50 (ESP) permitted inbound — or NAT-T (UDP 4500) if one site is behind carrier NAT

Tip — carrier-grade NAT (CGNAT): If your ISP assigns a private WAN IP (100.64.x.x or 10.x.x.x), you cannot receive inbound connections. In that case, install a cheap VPS as a relay, or switch to a service with a public IP. One side with a public IP is sufficient — the CGNAT side initiates the tunnel.

---

Network Layout

	Home	Cottage
LAN subnet	192.168.1.0/24	192.168.2.0/24
WAN address	Dynamic (DDNS: home.example.dyndns.org)	Dynamic (DDNS: cottage.example.dyndns.org)

Adjust subnets and hostnames to match your setup.

---

Configuration

This guide uses IKEv2 with a pre-shared key (PSK) — the simplest approach for two RouterOS routers you control. For certificate-based auth (stronger, no shared secret), see Certificate Authentication.

Home Router

# Phase 1 — IKE SA (authentication + key exchange)
/ip ipsec profile
add name=home-cottage \
    hash-algorithm=sha256 \
    enc-algorithm=aes-256 \
    dh-group=modp2048 \
    dpd-interval=30s \
    dpd-maximum-failures=5 \
    nat-traversal=yes

/ip ipsec peer
add name=peer-cottage \
    address=cottage.example.dyndns.org \
    exchange-mode=ike2 \
    profile=home-cottage \
    send-initial-contact=yes

/ip ipsec identity
add peer=peer-cottage \
    auth-method=pre-shared-key \
    secret="Use-A-Long-Random-Secret-Here!"

# Phase 2 — IPsec SA (data encryption)
/ip ipsec proposal
add name=home-cottage \
    auth-algorithms=sha256 \
    enc-algorithms=aes-256-cbc \
    pfs-group=modp2048 \
    lifetime=8h

/ip ipsec policy
add src-address=192.168.1.0/24 \
    dst-address=192.168.2.0/24 \
    tunnel=yes \
    action=encrypt \
    proposal=home-cottage \
    peer=peer-cottage

# NAT bypass — must be placed before the masquerade rule
/ip firewall nat
add chain=srcnat \
    action=accept \
    src-address=192.168.1.0/24 \
    dst-address=192.168.2.0/24 \
    comment="IPsec bypass: home to cottage" \
    place-before=0

# Allow IKE and ESP inbound
/ip firewall filter
add chain=input action=accept protocol=udp dst-port=500,4500 \
    in-interface-list=WAN comment="IPsec IKE/NAT-T"
add chain=input action=accept protocol=ipsec-esp \
    in-interface-list=WAN comment="IPsec ESP"

Cottage Router

Mirror the home config with subnets and peer address reversed:

# Phase 1
/ip ipsec profile
add name=home-cottage \
    hash-algorithm=sha256 \
    enc-algorithm=aes-256 \
    dh-group=modp2048 \
    dpd-interval=30s \
    dpd-maximum-failures=5 \
    nat-traversal=yes

/ip ipsec peer
add name=peer-home \
    address=home.example.dyndns.org \
    exchange-mode=ike2 \
    profile=home-cottage \
    send-initial-contact=yes

/ip ipsec identity
add peer=peer-home \
    auth-method=pre-shared-key \
    secret="Use-A-Long-Random-Secret-Here!"

# Phase 2
/ip ipsec proposal
add name=home-cottage \
    auth-algorithms=sha256 \
    enc-algorithms=aes-256-cbc \
    pfs-group=modp2048 \
    lifetime=8h

/ip ipsec policy
add src-address=192.168.2.0/24 \
    dst-address=192.168.1.0/24 \
    tunnel=yes \
    action=encrypt \
    proposal=home-cottage \
    peer=peer-home

# NAT bypass
/ip firewall nat
add chain=srcnat \
    action=accept \
    src-address=192.168.2.0/24 \
    dst-address=192.168.1.0/24 \
    comment="IPsec bypass: cottage to home" \
    place-before=0

# Allow IKE and ESP inbound
/ip firewall filter
add chain=input action=accept protocol=udp dst-port=500,4500 \
    in-interface-list=WAN comment="IPsec IKE/NAT-T"
add chain=input action=accept protocol=ipsec-esp \
    in-interface-list=WAN comment="IPsec ESP"

Why the NAT bypass rule is required

RouterOS applies the srcnat chain before the IPsec policy engine evaluates outgoing packets. Without a bypass rule, masquerade rewrites the source IP from 192.168.1.x to the WAN address before the IPsec policy selector (src=192.168.1.0/24) is checked — so the packet is sent unencrypted. The bypass action=accept in srcnat prevents masquerade from running on IPsec-bound traffic.

If you prefer a topology-independent rule that works regardless of subnet:

/ip firewall nat
add chain=srcnat action=accept ipsec-policy=out,ipsec \
    comment="IPsec bypass (all tunnels)" place-before=0

---

Dynamic IP Handling

NAT-T (nat-traversal=yes, the default) handles peers behind NAT automatically — ESP is wrapped in UDP/4500 when NAT is detected. Both peers can be behind their ISP’s NAT.

For dynamic WAN IPs, use DDNS hostnames in the address= field of /ip ipsec peer. RouterOS resolves the hostname when initiating the tunnel. If the remote IP changes, DPD (dpd-interval=30s) detects the dead peer and re-initiates, resolving the hostname again.

Recommended DDNS setup (on each router):

/ip cloud
set ddns-enabled=yes

# Use the assigned hostname: <id>.sn.mynetname.net
/ip ipsec peer
set peer-cottage address=<cottage-cloud-id>.sn.mynetname.net

Or use a third-party DDNS provider via /ip dns scripts.

---

Certificate Authentication

Certificates eliminate the shared secret. If the PSK is ever compromised, an attacker could impersonate either router. With certificates, each router proves its identity with a private key that never leaves the device.

Step 1 — Create a CA on one router (do this once)

# On the home router — generate CA
/certificate
add name=vpn-ca common-name=vpn-ca key-size=2048 \
    key-usage=key-cert-sign,crl-sign days-valid=3650
sign vpn-ca

Step 2 — Generate and sign router certificates

# Home router certificate
/certificate
add name=home-router common-name=home-router key-size=2048 \
    key-usage=tls-client,tls-server days-valid=1825
sign home-router ca=vpn-ca

# Cottage router certificate (generate on home, export, import on cottage)
add name=cottage-router common-name=cottage-router key-size=2048 \
    key-usage=tls-client,tls-server days-valid=1825
sign cottage-router ca=vpn-ca

# Export for transfer
export-certificate vpn-ca export-passphrase=""
export-certificate cottage-router export-passphrase="TempPassphrase"

Transfer cert_export_vpn-ca.crt and cert_export_cottage-router.p12 to the cottage router, then import:

# On the cottage router
/certificate import file-name=cert_export_vpn-ca.crt passphrase=""
/certificate import file-name=cert_export_cottage-router.p12 passphrase="TempPassphrase"

Step 3 — Update identities to use certificates

# Home router
/ip ipsec identity
set [find peer=peer-cottage] \
    auth-method=digital-signature \
    certificate=home-router \
    remote-certificate=cottage-router

# Cottage router
/ip ipsec identity
set [find peer=peer-home] \
    auth-method=digital-signature \
    certificate=cottage-router \
    remote-certificate=home-router

---

Verification

Check that the tunnel is established:

/ip ipsec active-peers print

Expected output shows the remote peer with state: established and non-zero rx-bytes/tx-bytes.

Check that SAs (Security Associations) exist for both directions:

/ip ipsec installed-sa print

You should see two entries — one inbound, one outbound — per tunnel.

Ping across the tunnel from a LAN device:

# From a home LAN device (192.168.1.x), ping a cottage LAN device (192.168.2.x)
ping 192.168.2.1

---

Troubleshooting

Tunnel not coming up (no active peers)

Check logs on both routers:

/log print where message~"ipsec"

“no suitable proposal found” — Phase 1 or Phase 2 crypto parameters do not match. Verify that hash-algorithm, enc-algorithm, and dh-group in /ip ipsec profile are identical on both sides, and that /ip ipsec proposal enc-algorithms, auth-algorithms, and pfs-group also match.

No log entries at all — neither side is initiating. Check that the peer address= resolves correctly:

/ip dns cache print
/ping cottage.example.dyndns.org

Tunnel up but no traffic passes

Verify the NAT bypass rule is in place and before the masquerade rule:

/ip firewall nat print

The bypass action=accept entry must have a lower rule number than any action=masquerade entry that matches WAN traffic.

Confirm the IPsec policy is matching traffic:

/ip ipsec policy print stats

The ph2-count column should increment when you send traffic across the tunnel. If it stays at zero, the traffic is not matching the policy — check that source and destination subnets in the policy exactly match the actual LAN subnets.

Check that IPsec-encrypted traffic is not being dropped by the forward chain:

/ip firewall filter print

Ensure there is no drop rule that blocks forwarded traffic between the two subnets.

Tunnel drops periodically

Increase DPD tolerance or extend the Phase 2 lifetime:

/ip ipsec profile set home-cottage dpd-maximum-failures=10
/ip ipsec proposal set home-cottage lifetime=24h

If one side is behind carrier NAT, the NAT mapping may time out. Setting dpd-interval=20s keeps the UDP/4500 flow active.

One-way traffic only

This usually means the NAT bypass is missing or misordered on one router. Apply the fix to both sides and recheck installed-sa print for two-direction SAs.

---

See Also

• IPsec Site-to-Site VPN (IKEv2) — full IPsec reference with VTI/route-based tunnels
• WireGuard — simpler alternative if both routers run RouterOS 7.x
• OpenVPN — alternative if one site uses non-MikroTik hardware
• L2TP/IPsec — legacy option with broader client compatibility