How to configure site to site Ipsec VPN to connect your branch office to the Headquarter using Mikrotik routers

Internet Protocol Security (Ipsec) is a
network protocol that authenticates network devices and encrypt the
communications between network devices. While there are different types of VPN, Ipsec VPN
is by far one of the best options available out there, and its supported by a
lot of vendors in the industry.

Today, I
am going to share with us on how to set up site to site Ipsec VPN, using Mikrotik routers. Assuming you have a branch office that needs to connect to the
head office for ease of communication and file sharing, then you need a VPN
connection. Even though this solution can be achieved using any of the routing
protocols out there, data encryption is very important and as such, you need
to encryption the communication between the two locations using Ipsec.

To achieve
this, I have created the scenario below:
   Branch office.
WAN IP:                     WAN IP:
LAN IP:                          LAN IP
objective is to make sure that local users are able to communicate among
themselves even though they may be countries apart. An Ipsec tunnel will be setup
anytime there is a communication between the two locations and data encryption
will be activated. 
Cisco, the smallest Mikrotik device can handle VPN setup. For this
demonstration, I am using a cloud core- CCR 1009-8G-15-PC, though an RB 750 can
do it.
If all
requirements for internet access have been met and you have connectivity up to
the public IP on the remote router, then you are ready to set up Ipsec VPN.
Setting up
Ipsec VPN on the Head office router:
Click on
IP>>Ipsec>>Proppsal and click on add (+). Choose MD5 for
authentication, and Camellia- 128 for encryption, and set the PFS group to modp
1024. U can change the name of the proposal if you will be creating more than
one proposals, otherwise, leave it at default. Kindly note that any other authentication and
encryption options can be used, just make sure your choices are the same on
both routers. See image below:

To set Policy, click on IP>>Ipsec>>Policy and click on add. Type
in your LAN network address in the space for source address and the branch office
network address in the space for destination address. See below.
Next, click on the action tab and enter the public IP on
the head office router as source IP and the one on the branch office router as
the destination IP. Don’t forget to tick the box to enable tunnel. Since I edited the default proposal instead of creating a new one, I left the
proposal at default. See below:
click on the peer tab and click on add(+). In the space for address, put the
WAN IP of the branch office router (be sure you have connectivity to this IP
address, otherwise this will not work), put the WAN IP of the head office
office router in the space for local address, enter your secrete keys which must be the same on both routers. See the image below and make sure
your options match those highlighted in red in the image.

The NAT traversal option makes sure that your LAN to LAN traffics
are excepted from NAT. If you already have these traffics excepted from your
NAT, then you need not check the box for NAT traversal.
If you have followed the steps correctly up to this point, congrats! you are half way done. Now, repeat the steps above on
the branch office router, substituting the source and destination IPs.
Everything else is the same except the IPs. If you do everything correctly on
the Branch office router, you will have your Ipsec tunnel up and running. 
Testing the Ipsec VPN
To test, simply connect a
system to both LANs and ping across.
To know if your Ipsec tunnel is
encrypting your LAN to LAN communications, click on installed SAs in the Ipsec
section. You should get an output similar to what is displayed in the image

I will be making a video on this shortly. Please subscribe to my YouTube channel here to get it as soon as it’s published. There are lots of other videos on Mikrotik and Cisco networking already published on the channel for you to watch and learn from.
Please comment on any topic you need help and clarifications on. Thanks for reading and stay safe.

Spread the love


Ashioma Michael, a BSc (Computer Science)., MTCNA, CCNA, and CCNP holder with many years of industry-proven experience in network design, implementation and optimization. He has tutored and guided many professionals towards obtaining their Cisco certifications. Mike works as a senior network engineer with one of the leading internet service providers in West Africa.

One thought on “How to configure site to site Ipsec VPN to connect your branch office to the Headquarter using Mikrotik routers

Leave a Reply

Your email address will not be published. Required fields are marked *