Mikrotik Router - IKEv2 VPN Setup

Updated 3 years ago by SwitchVPN

  1. Login to your Mikrotik router settings via browser or Winbox and open a new terminal.
  2. Enter the command to create a new profile
/ip ipsec profile 
add name=SwitchVPN
/ip ipsec proposal
add name=SwitchVPN pfs-group=none
  1. Enter the commands to create a new policy group
/ip ipsec policy group
add name=SwitchVPN
/ip ipsec policy
add dst-address= group=SwitchVPN proposal=SwitchVPN src-address= template=yes
  1. Enter the commands to create a new config mode entry
/ip ipsec mode-config
add name=SwitchVPN responder=no
  1. Create peer configuration and specify the IKEv2 server address in the address parameter, In this case, we are connecting to the US, Los Angeles server.
/ip ipsec peer
add address=ikev2-la.switchnetwork.me exchange-mode=ike2 name=SwitchVPN profile=SwitchVPN
  1. Import root cerificates required to verify the identity of the server.
/tool fetch url=https://letsencrypt.org/certs/isrgrootx1.pem
/certificate import file=isrgrootx1.pem

/tool fetch url=https://letsencrypt.org/certs/letsencryptauthorityx3.pem
/certificate import file=letsencryptauthorityx3.pem

  1. Create an identity configuration and specify your SwitchVPN credentials in username and password parameters.
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=SwitchVPN peer=SwitchVPN policy-template=SwitchVPN username=VPNUsername password=VPNPassword
  1. Now verify that the IKEv2 VPN connection is successfully established.
/ip ipsec
active-peers print
installed-sa print

  1. Now to send all traffic over the tunnel, In this example, we have a local network, If we wish to route all the devices connected to this network to go via a VPN tunnel, use the following command
/ip firewall address-list
add address= list=local

You can also specify only single hosts from which you want all traffic to go over the tunnel. Example

/ip firewall address-list
add address= list=local
Please note that the IP address range might be different on your network
  1. Once it is done, we can assign the newly created address list to mode config configuration
/ip ipsec mode-config
set [ find name=SwitchVPN ] src-address-list=local

That's it, now you have your device connected to SwitchVPN's US, Los Angeles server and all traffic is encrypted.

How did we do?

Powered by HelpDocs (opens in a new tab)