Friday, November 28, 2014

Site-to-Site IPSEC VPN using Mikrotik Routerboards

A good video on how to setup the VPN is here:
Example:  Site A has static IP address and Site B has dynamic IP address. On Site B Mikrotik router, you will need to add the following script to update the VPN policy. To do this using Winbox, go to System -> Scripts. Click + sign. Give the script a name. Then paste the following code into the box below:
:local WANip [/ip address get [find interface="ether5"] address]
:log info "Interface IP is $WANip"
:local WANip [:pick "$WANip" 0 ([:len $WANip] - 3)]
:log info "IP sans the slash notation is $WANip"
/ip ipsec policy set 0 sa-src-address=$WANip
Click Okay to save the script. 

To schedule the script to run every 5 minutes (in case the WAN IP address changes), in Winbox go to System -> Scheduler. Give the task a name. Start date can be ignored. Set Start time to 1 second (00:00:01). Set Interval to 5 minutes (00:05:00). Where it says On Event, type in the name of the script you entered above. Click okay.

Note:  Here is a list of ports that will need to be opened on both Mikrotik routers in order for the VPN traffic to pass successfully:
Chain: Input, Protocol: 50 (ipsec-esp), Action: Accept
Chain: Input, Protocol: 51 (ipsec-ah), Action: Accept
Chain: Input, Protocol: 17 (udp), Any Port: 500, Action: Accept
Note: In version  Mikrotik OS version 6.39.1, you may experience the following error with IPSEC tunnels:
Expecting IP address type in main mode when using preshared key for authorization (see RFC 2409 section 5.4).
If you see this error, open Winbox, go to IP -> IPSEC. Then go to Peers tab. Double click on the Peer IP address. Then where it says My ID Type, change it to auto. Click Okay. Repeat the same procedure for the other router. This should re-establish the IPSEC tunnel.