Mikrotik Router - IKEv2 VPN Setup
- Login to your Mikrotik router settings via browser or Winbox and open a new terminal.
- Enter the command to create a new profile
/ip ipsec profile
add name=SwitchVPN
/ip ipsec proposal
add name=SwitchVPN pfs-group=none
- Enter the commands to create a new policy group
/ip ipsec policy group
add name=SwitchVPN
/ip ipsec policy
add dst-address=0.0.0.0/0 group=SwitchVPN proposal=SwitchVPN src-address=0.0.0.0/0 template=yes
- Enter the commands to create a new config mode entry
/ip ipsec mode-config
add name=SwitchVPN responder=no
- Create peer configuration and specify the IKEv2 server address in the address parameter, In this case, we are connecting to the US, Los Angeles server.
/ip ipsec peer
add address=ikev2-la.switchnetwork.me exchange-mode=ike2 name=SwitchVPN profile=SwitchVPN
- Import root cerificates required to verify the identity of the server.
/tool fetch url=https://letsencrypt.org/certs/isrgrootx1.pem
/certificate import file=isrgrootx1.pem
/tool fetch url=https://letsencrypt.org/certs/letsencryptauthorityx3.pem
/certificate import file=letsencryptauthorityx3.pem
- Create an identity configuration and specify your SwitchVPN credentials in username and password parameters.
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=SwitchVPN peer=SwitchVPN policy-template=SwitchVPN username=VPNUsername password=VPNPassword
- Now verify that the IKEv2 VPN connection is successfully established.
/ip ipsec
active-peers print
installed-sa print
- Now to send all traffic over the tunnel, In this example, we have a local network 192.168.1.0/24, If we wish to route all the devices connected to this network to go via a VPN tunnel, use the following command
/ip firewall address-list
add address=192.168.1.0/24 list=local
You can also specify only single hosts from which you want all traffic to go over the tunnel. Example
/ip firewall address-list
add address=192.168.1.29 list=local
Please note that the IP address range might be different on your network
- Once it is done, we can assign the newly created address list to mode config configuration
/ip ipsec mode-config
set [ find name=SwitchVPN ] src-address-list=local
That's it, now you have your device connected to SwitchVPN's US, Los Angeles server and all traffic is encrypted.