Mikrotik S2S Policy-VPN

Below is a sample configuration to establish a policy-based IPSEC VPN on a Mikrotik router.
Some additional configuration has been added as this is a policy-based VPN and context becomes more important.

/interface bridge
add igmp-snooping=yes multicast-querier=yes name=bridge1 port-cost-mode=short
/interface bridge port
add bridge=bridge1 interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10
/ip address
add address=10.0.0.254/24 interface=bridge1 network=10.0.0.0
/ip dhcp-client
add interface=ether1

/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN

/ip ipsec peer
add address=192.0.2.5 exchange-mode=ike2 name=192.0.2.5
/ip ipsec identity
add my-id=fqdn:local peer=192.0.2.5 remote-id=fqdn:remote auth-method=pre-shared-key secret="SECRET" generate-policy=no

/ip ipsec profile
set [ find default=yes ] dh-group=ecp384 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h pfs-group=ecp384

/ip ipsec policy
add action=none comment="Don't Encrypt Traffic to Self" dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add comment="VPN Peer" dst-address=10.0.0.0/8 peer=192.0.2.5 src-address=10.0.0.0/24 tunnel=yes

DavisSystem

Consolidated Notes From the Desk of Sean Davis.

Mikrotik S2S Policy-VPN

By Sean, 2024-02-22