Mikrotik Ipsec Configuration
Mikrotik Ipsec is one of the features mikrotik where mikrotik is cheap router with lot of features, we could build router and make firewall easily with winbox. mikrotik ipsec site to site between mikrotik is simple and everything running well with no any problem on my test. You could see my mikrotik ipsec site to site configuration below :
Step by step mikrotik ipsec configuration:
- Remote mikrotik using winbox
- Choose IP à IPsec
- From ipsec menu then choose proposal then check box AuthAlgorithms and Encr Algorithms, On my mikrotik ipsec site to site you could see on the picture above then for PFS group using group 2.
- From ipsec menu click on Peer on the Address box is ip public on the remote site, secret for example 123456 you could be fill it as you own. DH Group according PFS Group that is group 2.
- Back to ipsec menu then choose General Src Address is IP local that want to be tunnel and Dst Address is IP local on the remote site. After that choose Action menu than action : encryp Level : require Ipsec Protocols : esp, check Tunnel box. SA Src Address is my IP public and SA Dst Address is IP Public on the remote site for Proposal default according name on the name proposal that had been made before.
- After all site had been configured, re-check configuration and make sure all site have same configuration and the last testing this connection. If working well I could make connection from ip local to remote local then if not working try by pass with nat you could see on the wiki mikrotik ipsec how to by pass.
On my test mikrotik ipsec site to site working well if remote site using mikrotik too, but if using juniper I had problem where for ipsec could not be connected properly where after 2 to 10 minutes I get loss connection so see what I do to solve the problem below I flush SA manually if there are loss connection to resolve manually flush sa I use script with scheduler every 1 minutes it’s mean if the mikrotik will flush sa regurally according my scheduler that I I had made. Anothe solution is make script to check connection using ping to remote site then if no connection the script will flush sa mikrotik for recommendation using flush sa scheduler on the mikrotik will be better althought it’s not the best solution.
The last after I start flush sa scheduler for 5 hours then I stop the scheduler then for the result my mikrotik ipsec still able to connected properly until today I write on this blog I do not have problem for mikrotik ipsec. Don’t ask me why it could work prefect because I don’t understand the reason.
Mikrotik Ipsec Conclusion on my Testing
- Mikrotik ipsec site to site working well if on the same site using mikrotik too
- For my testing if on the remote site using juniper I have problem where I need flush sa if there are any problem connection.
- I could fix the problem with change some configuration on the mikrotik or upgrading OS to version 6.xx beta
- You can use my method above to resolve the mikrotik ipsec problem if you lucky it will work perfect
- Good luck