IPsec Site-to-Site VPN (IKEv2)

IPsec Site-to-Site VPN (IKEv2)

IPsec is the standard protocol suite for encrypting IP traffic between sites. RouterOS supports IKEv2 (and the older IKEv1) for key exchange and can run IPsec in two modes: policy-based (traffic is selected by source/destination subnet) and route-based using Virtual Tunnel Interfaces (VTI).

This guide covers both modes for site-to-site tunnels using IKEv2 with pre-shared keys.

---

Concepts

IKE phases

IPsec negotiation proceeds in two phases:

• Phase 1 (IKE SA) — the two peers authenticate each other and establish an encrypted channel. RouterOS objects: profile, peer, identity.
• Phase 2 (Child SA / IPsec SA) — the peers negotiate the actual data protection parameters and traffic selectors. RouterOS objects: proposal, policy.

Policy-based vs route-based

Policy-based tunnels use explicit source/destination subnet selectors in /ip ipsec policy. Traffic matching the selectors is encrypted and sent through the tunnel. Routing does not change — the IPsec policy engine intercepts matched packets before they hit the routing table.

Route-based tunnels use a Virtual Tunnel Interface (VTI). The IPsec SA protects all traffic flowing through the interface, and normal routing decides what enters it. This is more flexible: you can run dynamic routing protocols (OSPF, BGP) over the VTI and policy selectors become 0.0.0.0/0.

RouterOS object hierarchy

profile      ← Phase 1 crypto + DH + DPD settings
  └── peer   ← remote address, exchange mode
        └── identity  ← auth method (PSK / certificate)

proposal     ← Phase 2 crypto + PFS settings
  └── policy ← selectors (src/dst), tunnel=yes, bound peer

---

Prerequisites

• RouterOS 7.x recommended (VTI is fully supported; IKEv2 is stable)
• UDP 500 and UDP 4500 reachable between the two WAN IPs
• IP protocol 50 (ESP) permitted inbound on both sides

---

Policy-Based Site-to-Site (IKEv2 + PSK)

Scenario: Site A (WAN 198.51.100.1, LAN 10.10.10.0/24) ↔ Site B (WAN 203.0.113.2, LAN 10.20.20.0/24).

Site A

# ---- Phase 1 ----
/ip ipsec profile
add name=ike2-profile \
    hash-algorithm=sha256 \
    enc-algorithm=aes-256,aes-128 \
    dh-group=modp2048 \
    dpd-interval=30s \
    dpd-maximum-failures=5

/ip ipsec peer
add name=peer-site-b \
    address=203.0.113.2/32 \
    exchange-mode=ike2 \
    profile=ike2-profile \
    local-address=198.51.100.1

/ip ipsec identity
add peer=peer-site-b \
    auth-method=pre-shared-key \
    secret="StrongSharedSecret!"

# ---- Phase 2 ----
/ip ipsec proposal
add name=ph2-proposal \
    auth-algorithms=sha256 \
    enc-algorithms=aes-256-cbc \
    pfs-group=modp2048

/ip ipsec policy
add src-address=10.10.10.0/24 \
    dst-address=10.20.20.0/24 \
    sa-src-address=198.51.100.1 \
    sa-dst-address=203.0.113.2 \
    tunnel=yes \
    action=encrypt \
    proposal=ph2-proposal \
    peer=peer-site-b

# ---- NAT bypass (place before masquerade rule) ----
/ip firewall nat
add chain=srcnat \
    src-address=10.10.10.0/24 \
    dst-address=10.20.20.0/24 \
    action=accept \
    comment="IPsec bypass" \
    place-before=0

# ---- Firewall: allow IKE and ESP inbound ----
/ip firewall filter
add chain=input protocol=udp dst-port=500,4500 action=accept comment="IKE/NAT-T"
add chain=input protocol=ipsec-esp action=accept comment="ESP"

Site B

Mirror Site A with addresses reversed:

# Phase 1
/ip ipsec profile
add name=ike2-profile \
    hash-algorithm=sha256 \
    enc-algorithm=aes-256,aes-128 \
    dh-group=modp2048 \
    dpd-interval=30s \
    dpd-maximum-failures=5

/ip ipsec peer
add name=peer-site-a \
    address=198.51.100.1/32 \
    exchange-mode=ike2 \
    profile=ike2-profile \
    local-address=203.0.113.2

/ip ipsec identity
add peer=peer-site-a \
    auth-method=pre-shared-key \
    secret="StrongSharedSecret!"

# Phase 2
/ip ipsec proposal
add name=ph2-proposal \
    auth-algorithms=sha256 \
    enc-algorithms=aes-256-cbc \
    pfs-group=modp2048

/ip ipsec policy
add src-address=10.20.20.0/24 \
    dst-address=10.10.10.0/24 \
    sa-src-address=203.0.113.2 \
    sa-dst-address=198.51.100.1 \
    tunnel=yes \
    action=encrypt \
    proposal=ph2-proposal \
    peer=peer-site-a

# NAT bypass
/ip firewall nat
add chain=srcnat \
    src-address=10.20.20.0/24 \
    dst-address=10.10.10.0/24 \
    action=accept \
    comment="IPsec bypass" \
    place-before=0

# Firewall
/ip firewall filter
add chain=input protocol=udp dst-port=500,4500 action=accept comment="IKE/NAT-T"
add chain=input protocol=ipsec-esp action=accept comment="ESP"

Why NAT bypass is required

In RouterOS, the IPsec policy engine runs after the srcnat chain. Without a bypass rule, masquerade rewrites the source address before the policy selector is checked. The packet’s source no longer matches 10.10.10.0/24 so it is sent unencrypted. The bypass rule must be positioned before any masquerade rule.

An alternative using the ipsec-policy matcher (works regardless of address):

/ip firewall nat
add chain=srcnat action=accept ipsec-policy=out,ipsec comment="IPsec bypass" place-before=0

---

Route-Based Site-to-Site with VTI

Route-based IPsec uses a Virtual Tunnel Interface (VTI). The IPsec SA protects everything flowing through the interface; routing decides what enters it.

Scenario: Same two sites as above. Tunnel link IPs 169.254.100.1 (Site A) / 169.254.100.2 (Site B).

Site A

# Phase 1
/ip ipsec profile
add name=ike2-vti-profile \
    hash-algorithm=sha256 \
    enc-algorithm=aes-256 \
    dh-group=modp2048 \
    dpd-interval=30s

/ip ipsec peer
add name=peer-site-b-vti \
    address=203.0.113.2/32 \
    exchange-mode=ike2 \
    profile=ike2-vti-profile \
    local-address=198.51.100.1

/ip ipsec identity
add peer=peer-site-b-vti \
    auth-method=pre-shared-key \
    secret="StrongSharedSecret!"

# Phase 2 — wide selectors for VTI
/ip ipsec proposal
add name=vti-proposal \
    auth-algorithms=sha256 \
    enc-algorithms=aes-256-gcm \
    pfs-group=modp2048

/ip ipsec policy
add peer=peer-site-b-vti \
    tunnel=yes \
    src-address=0.0.0.0/0 \
    dst-address=0.0.0.0/0 \
    sa-src-address=198.51.100.1 \
    sa-dst-address=203.0.113.2 \
    proposal=vti-proposal \
    action=encrypt

# VTI interface
/interface vti
add name=vti-site-b \
    local-address=198.51.100.1 \
    remote-address=203.0.113.2

# Tunnel link address
/ip address add address=169.254.100.1/30 interface=vti-site-b

# Route remote LAN via VTI
/ip route add dst-address=10.20.20.0/24 gateway=vti-site-b

# Firewall: allow forwarded traffic through VTI
/ip firewall filter
add chain=forward action=accept in-interface=vti-site-b comment="IPsec VTI in"
add chain=forward action=accept out-interface=vti-site-b comment="IPsec VTI out"

# Firewall: allow IKE and ESP
/ip firewall filter
add chain=input protocol=udp dst-port=500,4500 action=accept comment="IKE/NAT-T"
add chain=input protocol=ipsec-esp action=accept comment="ESP"

Site B

# Phase 1
/ip ipsec profile
add name=ike2-vti-profile \
    hash-algorithm=sha256 \
    enc-algorithm=aes-256 \
    dh-group=modp2048 \
    dpd-interval=30s

/ip ipsec peer
add name=peer-site-a-vti \
    address=198.51.100.1/32 \
    exchange-mode=ike2 \
    profile=ike2-vti-profile \
    local-address=203.0.113.2

/ip ipsec identity
add peer=peer-site-a-vti \
    auth-method=pre-shared-key \
    secret="StrongSharedSecret!"

/ip ipsec proposal
add name=vti-proposal \
    auth-algorithms=sha256 \
    enc-algorithms=aes-256-gcm \
    pfs-group=modp2048

/ip ipsec policy
add peer=peer-site-a-vti \
    tunnel=yes \
    src-address=0.0.0.0/0 \
    dst-address=0.0.0.0/0 \
    sa-src-address=203.0.113.2 \
    sa-dst-address=198.51.100.1 \
    proposal=vti-proposal \
    action=encrypt

/interface vti
add name=vti-site-a \
    local-address=203.0.113.2 \
    remote-address=198.51.100.1

/ip address add address=169.254.100.2/30 interface=vti-site-a

/ip route add dst-address=10.10.10.0/24 gateway=vti-site-a

/ip firewall filter
add chain=forward action=accept in-interface=vti-site-a comment="IPsec VTI in"
add chain=forward action=accept out-interface=vti-site-a comment="IPsec VTI out"
add chain=input protocol=udp dst-port=500,4500 action=accept comment="IKE/NAT-T"
add chain=input protocol=ipsec-esp action=accept comment="ESP"

VTI advantages over policy-based

• No NAT bypass rules needed — traffic is routed, not policy-intercepted
• Supports dynamic routing protocols (OSPF, BGP) over the tunnel
• Interface-level monitoring and traffic counters available
• Simpler to extend to multiple subnets (just add routes)

---

Key Object Reference

Profile (Phase 1)

Property	Description
hash-algorithm	IKE integrity: sha1, sha256, sha512
enc-algorithm	IKE encryption: aes-128, aes-256, 3des
dh-group	Diffie-Hellman group: modp1024, modp2048, ecp256
dpd-interval	Dead Peer Detection interval (e.g. 30s)
dpd-maximum-failures	DPD retries before tearing down
lifetime	IKE SA lifetime (default 1d)

Peer

Property	Description
address	Remote WAN IP with mask (e.g. 203.0.113.2/32)
exchange-mode	ike2 (recommended) or ike1
profile	Reference to /ip ipsec profile
local-address	Local WAN IP for multi-WAN routers
passive	Accept-only; do not initiate (useful for dynamic-IP responders)

Identity

Property	Description
peer	Bound peer
auth-method	pre-shared-key or digital-signature (certificates)
secret	PSK value (both sides must match exactly)
my-id / remote-id	Identity overrides (useful when IP does not match cert CN)

Proposal (Phase 2)

Property	Description
auth-algorithms	Data integrity: sha1, sha256, sha512
enc-algorithms	Data encryption: aes-128-cbc, aes-256-cbc, aes-256-gcm
pfs-group	Perfect Forward Secrecy DH group (must match on both sides)
lifetime	Child SA lifetime (default 30m)

Policy

Property	Description
src-address	Source subnet selector
dst-address	Destination subnet selector
sa-src-address	Tunnel source (local WAN IP)
sa-dst-address	Tunnel destination (remote WAN IP)
tunnel	yes for tunnel mode (standard for site-to-site)
action	encrypt or none (bypass)
proposal	Reference to Phase 2 proposal
peer	Reference to peer

---

Troubleshooting

Step 1 — Check Phase 1

/ip ipsec active-peers print detail

An entry here means IKE SA negotiation succeeded. No entry means the tunnel has not come up at all.

/ip ipsec remote-peers print

Shows currently connected peers with uptime and last-seen info.

Step 2 — Check installed SAs (Phase 2)

/ip ipsec installed-sa print detail

If Phase 1 is up but no installed SAs appear, Phase 2 negotiation failed. The most common causes are:

• enc-algorithms, auth-algorithms, or pfs-group mismatch between peers
• Traffic selector (src/dst address) mismatch

Step 3 — Check policy state and counters

/ip ipsec policy print detail
/ip ipsec policy print stats

Increasing packet/byte counters confirm traffic is being encrypted. Zero counters with SAs present means traffic is not reaching the policy (routing issue, NAT bypass missing, or firewall drop).

Enable IPsec logging

/system logging add topics=ipsec,!packet
/log print where topics~"ipsec"

Disable after diagnosis — IPsec logging is verbose.

Common failure patterns

Symptom	Likely cause	Fix
No active-peers entry	Firewall blocking UDP 500/4500 or ESP	Check input chain on both sides
No active-peers entry	PSK mismatch	Verify secret is identical, including case
No active-peers entry	DH group or encryption mismatch in profile	Align profile settings on both routers
Phase 1 up, no installed SAs	Proposal mismatch	Align enc-algorithms, auth-algorithms, pfs-group in proposal
Phase 1 up, no installed SAs	Selector mismatch	Ensure policy selectors match on both sides
SAs installed, traffic not passing	NAT bypass missing	Add NAT bypass rule before masquerade
SAs installed, traffic not passing	Missing route (VTI)	Add /ip route for remote LAN via VTI
SAs installed, traffic not passing	Forward chain drop	Add forward accept rules for tunnel interface
Tunnel flaps	DPD failure	Check latency / verify DPD settings match

---

See Also

• GRE/IPIP tunnels — unencrypted tunnels (combine with IPsec transport mode for encryption)
• L2TP/IPsec — remote access using L2TP over IPsec
• WireGuard VPN — modern alternative for site-to-site and remote access