Back to all articles
Tutorial By MikroRadius Team

How to Set Up Site-to-Site IPsec VPN on MikroTik (Connect Two Offices Securely)

Need to connect two office networks as if they were one? This guide walks you through configuring an IKEv2 IPsec site‑to‑site VPN between two MikroTik routers – with NAT traversal, perfect forward secrecy, and troubleshooting tips.

When you have two office locations (or a branch office and a data centre), you often need them to communicate as if they were on the same local network. A site‑to‑site VPN does exactly that – it securely connects two private networks over the internet. MikroTik's built‑in IPsec IKEv2 makes this setup robust and relatively easy.

Why Site‑to‑Site VPN?

  • Seamless access – Printers, file servers, and internal apps become available across both sites.
  • Security – All traffic is encrypted between the two routers.
  • Cost saving – No need for dedicated leased lines.
  • Transparent – Users don't notice the VPN; it works at the network layer.

Prerequisites

  • Two MikroTik routers with public IP addresses (dynamic or static).
  • If one or both have dynamic IPs, you'll need a DDNS service (e.g., MikroTik's built‑in Cloud DDNS).
  • Different LAN subnets at each site – they must not overlap (e.g., Site A: 192.168.1.0/24, Site B: 192.168.2.0/24).
  • WinBox or SSH access to both routers.

Network Topology Example

  • Site A (Head Office): Public IP 203.0.113.10 (static), LAN 192.168.1.0/24.
  • Site B (Branch): Public IP 198.51.100.20 (static), LAN 192.168.2.0/24.
  • We want devices in 192.168.1.0/24 to reach 192.168.2.0/24 and vice versa.

Step 1: Prepare the Routers (Basic Configuration)

Ensure both routers have:

  • Internet access working on their WAN interface.
  • LAN interfaces correctly set up with their respective subnets.
  • Firewall rules that allow IPsec traffic (UDP 500, UDP 4500, and ESP protocol 50).
  • NAT masquerade for LAN to internet, but do not NAT traffic destined for the other site's VPN subnet.

Step 2: Configure IPsec Peer and Proposal (Site A)

First, create an IKEv2 proposal (encryption and hash settings). Use strong but compatible settings.

/ip ipsec proposal add name=ike2-proposal auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h pfs-group=modp2048

Then create the peer definition (the remote router's endpoint).

/ip ipsec peer add name=peer-B address=198.51.100.20/32 exchange-mode=ike2 profile=default proposal-check=obey

If Site B has a dynamic IP, replace the address with 0.0.0.0/0 and use a pre‑shared key + aggressive mode? Actually for IKEv2 with dynamic, you can leave address=0.0.0.0/0 and the router will accept incoming connections.

Step 3: Configure IPsec Peer and Proposal (Site B)

On Site B, create the same proposal (identical settings).

/ip ipsec proposal add name=ike2-proposal auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h pfs-group=modp2048

Then create the peer pointing to Site A:

/ip ipsec peer add name=peer-A address=203.0.113.10/32 exchange-mode=ike2 profile=default proposal-check=obey

Step 4: Configure Identities (Pre‑Shared Key) on Both Sides

Choose a strong pre‑shared key (PSK). Use the same key on both routers.

Site A:

/ip ipsec identity add peer=peer-B auth-method=pre-shared-key secret="YourVeryStrongPSK123" generate-policy=port-strict

Site B:

/ip ipsec identity add peer=peer-A auth-method=pre-shared-key secret="YourVeryStrongPSK123" generate-policy=port-strict

Step 5: Configure IPsec Policies (Traffic Selectors)

Policies tell the router which traffic to encrypt and send over the VPN.

Site A (source = its LAN, destination = remote LAN):

/ip ipsec policy add src-address=192.168.1.0/24 dst-address=192.168.2.0/24 tunnel=yes action=encrypt proposal=ike2-proposal peer=peer-B

Site B (reverse):

/ip ipsec policy add src-address=192.168.2.0/24 dst-address=192.168.1.0/24 tunnel=yes action=encrypt proposal=ike2-proposal peer=peer-A

Step 6: Firewall Rules – Allow IPsec and ESP

On both routers, add these input chain rules before the final drop:

/ip firewall filter add chain=input protocol=udp dst-port=500 action=accept comment="Allow IKE"
/ip firewall filter add chain=input protocol=udp dst-port=4500 action=accept comment="Allow NAT-T"
/ip firewall filter add chain=input protocol=esp action=accept comment="Allow ESP"
/ip firewall filter add chain=input protocol=ah action=accept comment="Allow AH (if used)"

Also allow forwarding of traffic between the two LANs (in the forward chain). Add before any drop rule:

/ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.2.0/24 action=accept comment="VPN Site A to Site B"
/ip firewall filter add chain=forward src-address=192.168.2.0/24 dst-address=192.168.1.0/24 action=accept comment="VPN Site B to Site A"

Step 7: NAT Bypass – Do Not NAT VPN Traffic

If you have a masquerade rule for LAN to internet (e.g., src-address=192.168.0.0/16 action=masquerade), it will also catch traffic going to the other site's LAN and break the VPN. Add a dstnat rule (or a srcnat rule with action=accept) to exclude VPN traffic.

Add this rule above your masquerade rule:

/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.2.0/24 action=accept comment="Don't NAT to Site B"

On Site B, do the opposite:

/ip firewall nat add chain=srcnat src-address=192.168.2.0/24 dst-address=192.168.1.0/24 action=accept comment="Don't NAT to Site A"

Step 8: (Optional) Enable NAT Traversal for Dynamic IPs

If either router is behind a NAT (e.g., a home office with a modem/router in front), enable NAT-T by setting nat-traversal=yes in the IPsec profile:

/ip ipsec profile set [find default] nat-traversal=yes

Step 9: Initiate the VPN Connection

By default, the VPN will establish automatically when traffic tries to cross it. To force an initiation, ping from a device on Site A to an IP on Site B (e.g., ping 192.168.2.1).

Check the status on either router:

/ip ipsec active-peers print
/ip ipsec installed-sa print

You should see active SAs (Security Associations) with state=established.

Step 10: Test Connectivity

  1. From a PC at Site A (IP 192.168.1.x), ping a PC at Site B (192.168.2.y).
  2. From a PC at Site B, ping back.
  3. Access a file share or web server across the VPN.
  4. Run a traceroute – you should see the remote LAN IP as the final hop.

Troubleshooting

  • No SAs (installed-sa empty): Check firewall rules – ensure UDP 500/4500 and ESP are allowed. Verify pre‑shared keys match exactly. Check peer addresses – if one side has dynamic IP, use address=0.0.0.0/0 and ensure the initiating side knows the correct endpoint.
  • SAs are up but ping fails: Most likely NAT masquerade is translating the VPN traffic. Revisit Step 7. Also check that both routers have routes for the remote LAN – IPsec policies automatically add routes, but verify with /ip route print where dst-address~"192.168.2".
  • Traffic works one way only: Ensure that both sides have symmetric policies and that the firewall forward chain allows both directions.
  • VPN drops after a few minutes: Increase lifetime in proposals or check for NAT timeouts. Add a keepalive by setting dpd-interval=30s in the peer configuration.
  • IKEv2 fails with "no proposal chosen": Ensure the encryption and hash algorithms match on both sides. Use proposal-check=obey or strict.

Advanced: Using DDNS for Dynamic IPs

If one or both routers have dynamic public IPs, use MikroTik's Cloud DDNS or a third‑party service.

On each router, enable Cloud DDNS:

/ip cloud set ddns-enabled=yes
/ip cloud print

You'll get a hostname like xxxxxx.sn.mynetname.net. Then in the peer configuration, use that hostname as the address (ensure DNS resolution works).

For the peer with dynamic IP, set address=0.0.0.0/0 and let the other side initiate.

Using Certificate Authentication (More Secure than PSK)

For production, consider using certificates instead of pre‑shared keys. Generate a CA certificate and sign device certificates for each router. Then set auth-method=rsa-signature in the identity and upload the certificates. This is beyond this guide, but well documented in MikroTik's manual.

Sample Complete Script (Site A, Static IP)

/ip ipsec proposal add name=ike2-proposal auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h pfs-group=modp2048
/ip ipsec peer add name=peer-B address=198.51.100.20/32 exchange-mode=ike2 profile=default
/ip ipsec identity add peer=peer-B auth-method=pre-shared-key secret="YourStrongPSK" generate-policy=port-strict
/ip ipsec policy add src-address=192.168.1.0/24 dst-address=192.168.2.0/24 tunnel=yes action=encrypt proposal=ike2-proposal peer=peer-B
/ip firewall filter add chain=input protocol=udp dst-port=500 action=accept
/ip firewall filter add chain=input protocol=udp dst-port=4500 action=accept
/ip firewall filter add chain=input protocol=esp action=accept
/ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.2.0/24 action=accept
/ip firewall filter add chain=forward src-address=192.168.2.0/24 dst-address=192.168.1.0/24 action=accept
/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.2.0/24 action=accept
# Place your masquerade rule after this

Conclusion

A site‑to‑site IPsec VPN unites your distributed offices into a single, secure network. MikroTik's IKEv2 implementation is stable, fast, and works even when one side has a dynamic IP (with DDNS). Once the tunnel is up, inter‑office collaboration becomes seamless – shared drives, internal web apps, and remote management all work as if everyone was in the same building.

For larger deployments, consider using GRE over IPsec or VXLAN to carry routing protocols (OSPF/BGP) across the VPN. But for most small to medium businesses, the pure IPsec policy setup above is sufficient.

Was this article helpful?