Mikrotik IPsec Site to Site VPN: A Step by Step Guide

mikrotik chr ipsec site to site vpn setup guide

0 Comment

13 mins Read

mikrotik chr ipsec site to site vpn setup guide

As online censorship increases globally, many users are adopting VPNs to maintain internet access. While standard VPN solutions like OpenVPN and Cisco are usually effective, tougher internet restrictions in countries such as Russia, China, Iran, and Cuba can disrupt these services. In these situations, more sophisticated VPN solutions like the Mikrotik IPsec site-to-site VPN prove essential.

The Mikrotik site-to-site VPN stands out as a cost-effective and efficient method for overcoming stringent internet barriers. Though other technologies like reverse proxies exist, the efficiency of site-to-site VPNs is notable. This article will delve into the basics and historical context of Mikrotik VPNs, followed by a comprehensive guide on establishing a Mikrotik site-to-site VPN.

What Is RouterOS?

RouterOS is a sophisticated operating system designed by Mikrotik that transforms your desktop computer into a high-performance router. This OS allows users to leverage the capabilities of Mikrotik’s Routerboard technology, effectively turning a PC into a powerful networking device capable of hosting a site-to-site VPN. RouterOS is not free; after an initial trial period, a license must be purchased to continue its use. However, given its efficiency and reliability in establishing a site-to-site VPN, the investment in a license is often considered worthwhile.

Beyond setting up VPNs, RouterOS enhances your desktop with full router functionalities, including advanced firewall capabilities to secure your system or network. The operating system is based on the Linux kernel, which may lead to better compatibility with Linux distributions than with Windows. This flexibility and power make RouterOS a valuable tool for anyone looking to upgrade their network management and security infrastructure.

Mikrotik is known for its quality, and its products are designed to have inherent synergy with each other, so in other words, you can purchase their hardware and experience incredible performance when utilizing their software options, such as access points and operating systems such as the RouterOS. Mikrotik is the developer of RouterOS, which we will be using to establish a site-to-site VPN with the IPSec protocol in today’s guide. But before getting ahead of ourselves, let’s get to know what a site-to-site VPN actually is, so you can better understand if it suits your needs or not. If you require assistance to install Mikrotik CHR on your VPS, check out our guide to install and optimize it.

What Is a Site to Site VPN?

In principle, a site to site VPN and a normal VPN are not much different. For example, the IPsec protocol used in this guide is one of the most popular protocols in the world for establishing normal VPNs. The main difference lies not in the tunnel and protocol itself but in the fact that a normal VPN uses this tunnel to connect users to a centralized server, whereas a site-to-site VPN connects the end user’s network to another network rather than a server. With this change also comes a set of advantages and disadvantages that I will now go over.

Advantages of Site to Site VPN

Here are the main advantages that a site-to-site VPN has to offer. Do note that these advantages are situational, and some of them may not apply depending on the nature of your specific site-to-site VPN. However, in general, they apply in principle. So keep them in mind.

Secure Base Level Connection

IPsec, which is one of the most common protocols used in tunneling both remote access VPN solutions and the site-to-site VPNs, is encrypted. So all the data that is sent on your behalf between the two networks in an IPsec site-to-site VPN is safe. Even if a hacker does get into your network, all the data that he or she would see would be in encrypted form, making phishing impossible. Despite this high level of base security, there are certain drawbacks to site-to-site VPN security as well that I will get to further down the article. 

Easy to Understand Architecture

Since a site-to-site VPN uses networks instead of servers, the process of converting an internal IP address for use in LAN networks is entirely removed. All the sites involved in this VPN scheme can instead use each other’s internal addresses as operational IP addresses and ranges. This makes a site-to-site VPN an easier-to-establish VPN option. Especially for businesses that use a large number of computers and networks, it is highly advantageous to go for a site-to-site VPN as each network can be used. However, this high number of networks needs management, which I will mention further down. A VPS option is a great way to have a second network to establish a site-to-site VPN. You can read my list of the 10 best VPS options for VPN in 2024!

Access Control

With a site-to-site VPN, you can much more easily define access controls for different sets of users as the admin of the network. Since the entire architecture of a site-to-site VPN relies on internal users within the established network connecting to each other, you can easily block all external access to the server. This will enhance both the security of the network as a whole, and it also helps by preventing resources from being used by these external users. You can also define access layers within the network architecture in order to grant or take away access to different user groups based on your preferences. In this aspect, a site-to-site VPN is much more configurable in its deployment options compared to a traditional remote access VPN.

Good in Tight Restrictions

As we mentioned, the Mikrotik site to site VPN is highly efficient in times when state-sponsored internet restriction gets increasingly tight and normal VPNs begin to lose their utility. This is due to the fact that as opposed to traditional VPNs that connect to a specific server with a specific port, site-to-site VPNs can use any network as a host for the VPN, making the process of tracking and blocking all the ports that make this VPN connection happen, impossible. Therefore as long as the VPN protocol of choice is working, you can use different networks in order to create a site-to-site VPN and bypass internet restrictions.

Site to Site VPN Disadvantages

Here are the most common disadvantages of a site-to-site VPN. It’s important to note that these drawbacks might be negligible depending on your specific needs, but in general, they are applicable.

Lack of Scalability

The most important drawback of a site-to-site VPN is its lack of proper scalability. Since a site-to-site VPN requires a point-to-point connection, a unique set of credentials is required for each additional set of sites that are connected using a site-to-site VPN. This may not seem like a big deal at first, but if you have a large network that requires a site to site VPN, then the number of required VPNs will also increase exponentially with each pair of sites that you wish to connect to. This severely hampers scalability. However, if managing the high number of VPNs and the costs are not important to you, this will not be a major issue. 

Poor Routing

In order to provide proper security on top of the base level security that is provided by the site-to-site VPN itself, some organizations have little choice but to make all the connections go through a central connection hub in order to be vetted for security reasons. This is a major issue since if you have a large number of sites connected to each other within the network, then this process will cause massive weight on the network and will cause a lot of latency. This can be thought of as another form of inefficient scalability in site-to-site VPNs.

No Integrated Security

While I did mention the IPsec encryption as one of the security advantages of site-to-site VPNs, that is not an integrated security option. Meaning it is not part of the bare-bones networks that you use to establish the connection. This in turn means that most of the added security needs to be manually configured for connections involving more than two networks that are facilitated by access points. In other words, if you are looking for more security than provided at the base level, the site-to-site VPN is essentially as safe as you can make it.

Requires Direct Management

Although establishing a single VPN connection between two sites is rather straightforward using Mikrotic’s RouterOS, as the number of site pairs increases, the management of the networks and the tunnels become an increasingly demanding task. Aside from this, managing WAN networks tends to be inherently difficult as well. So you either need to be well versed in managing these networks yourself, or if you are implementing a large number of site-to-site VPN connections as part of your business plan, then you need an IT expert to directly manage the network for you at all times.

What Is the IPsec Protocol?

Now we know all we need to know about what a site-to-site VPN is, how it works, as well as its advantages and disadvantages, it’s also a good idea to quickly familiarize ourselves with the qualities and properties of the IPSec protocol since this will be the protocol of choice for today’s guide.

IPsec, or Internet Protocol Security, is a suite of protocols designed to safeguard data communication over Internet Protocol (IP) networks by authenticating and encrypting each IP packet in a data stream. IPsec is widely utilized in virtual private networks (VPNs) due to its robust focus on securing connections, making it an essential tool for maintaining privacy and integrity in data transfers.

The applications of IPsec extend beyond VPNs. Its robust security features make it suitable for protecting online financial transactions, sensitive government data, medical records, and corporate information. The protocol is versatile in securing any data that traverses untrusted networks.

However, it is important to clarify that IPsec, while secure, is not inherently easier for governments to disable compared to other VPN protocols. The challenge in disabling IPsec effectively across a network without disrupting other services is significant. Instead, governments may employ comprehensive internet control strategies that impact various protocols, including IPsec, but there’s no inherent vulnerability in IPsec that makes it uniquely susceptible to government shutdown.

READ
IPsec vs SSL: What is the Difference?

Setup Mikrotik Site to Site IPsec VPN

First, you will need two separate Mikrotik RouterOS-powered networks in order to establish an IPsec site-to-site VPN. I will put the configuration of each of these networks below for educational purposes, but do note that your networks will have different credentials, so keep that in mind when configuring your VPN using this guide:

1- Office 1 Router WAN IP: 192.168.70.2/30 and LAN IP Block 10.10.11.0/24

2- Office 2 Router WAN IP: 192.168.80.2/30 and LAN IP Block 10.10.12.0/24

Step 1: Configure Your Mikrotik RouterOS Office 1

After you have logged in to your RouterOS on office 1, via either the free trial or the purchased license, it’s time to configure it. Click on the plus sign within the new address tab. Now in the WAN IP box, enter the following address: 192.168.70.2/30. Then select the Ether1 option for your WAN interface and then click on the plus sign again and this time, put in the following address on your LAN IP: 10.10.11.1/24. Choose Ether2 for your LAN interface.

Once you have done this, it’s time to configure the DNS and the firewall. Head to the IP section and then the DNS section, and enter the 8.8.8.8 address as your server input. Then head to the firewall and head into the NAT section. Then click on the plus sign again and in the general section, select the srcnat option from the chain dropdown selection and go into the action tab. Here choose the masquerade as the default option and apply the changes.

Finally, head into the IP section again and click on the plus sign in the gateway box enter the following WAN address:192.168.70.1. Apply and exit. You have now configured the first Mikrotik site.

Step 2: Configure Your Mikrotik RouterOS Office 2

With the first server configured, it’s time to do the same process for the second Mikrotik Router site, known in this guide as Mikrotik RouterOS Office 2.

After you have logged in to your RouterOS on office 2, click on the plus sign within the new address tab. Now in the WAN IP box, enter the following address:192.168.80.2/30. Then select the Ether1 option for your WAN interface and then click on the plus sign again and this time, put in the following address on your LAN IP:10.10.12.1/24. Choose Ether2 for your LAN interface.

Once you have done this, it’s time to configure the DNS and the firewall. Head to the IP section and then the DNS section, and enter the 8.8.8.8 address as your server input. Then head to the firewall and head into the NAT section. Then click on the plus sign again and in the general section, select the srcnat option from the chain dropdown selection and go into the action tab. Here choose the masquerade as the default option and apply the changes.

Finally, head into the IP section again and click on the plus sign in the gateway box enter the following WAN address:192.168.80.1. Apply and exit. You have now configured the second Mikrotik RouterOS site.

Step 3: Peer IPsec Configuration for Office 1 RouterOS Site

Since we are going to use the IPsec protocol, we need to perform the peer configuration for both of our Mikrotik RouterOS sites. The process is not complicated and is the same for both the RouterOS sites, with the difference being the address we are going to use. 

Head into the IP section again, and this time go to the peer tab. Here click that friendly plus sign once more, and in the newly opened IPsec peer window, place the IP address for your office 2 RouterOS site. Be careful not to put in the IP address for your first site! In this case, the address is:192.168.80.2. In the port input, put 500 as your desired port. 

In the dropdown menu for the authentication method, choose the pre-shared key option. Then choose a secure password of your choosing, which will be the same for both sites. Save and apply. You have successfully configured the IPsec configuration on your Office 1 RouterOS site.

Step 4: Peer IPsec Configuration for Office 2 RouterOS Site

The process is the same for the Office 2 RouterOS site. We will simply swap out the addresses we used in the previous step with the address related to the Office 1 RouterOS site. Head into the IP section again, and this time go to the peer tab. Here click the plus sign once more, and in the newly opened IPsec peer window, place the IP address for your office 1 RouterOS site. Be careful not to put in the IP address for your second site! In this case, the address is:192.168.70. In the port input, put 500 as your desired port. 

In the dropdown menu for the authentication method, choose the pre-shared key option. Then enter the same secure password that you provided in the previous step. Save and apply. You have successfully configured the IPsec configuration on your Office 2 RouterOS site.

Step 5: Policy Configurations for IPsec in Office 1 RouterOS Site

After configuring the peer options for IPsec, we must now go for the process of policy configurations. This is again like the previous steps in the sense that the process is largely the same for both Office RouterOS sites.

Once again, head into the IP section and then to the policies tab and click on the plus sign. Now you will see the policies tab. Navigate to the general tab and enter the source code for Office 1 (10.10.11.0/24). In the port section, make no changes since we need all the ports to be open by default. 

In the address section, place the destination address (Office 2), which is:10.10.12.0/24. Go to the action tab and make sure the tunnel checkbox is ticked so that tunneling will be enabled. In the proposal tab, select the default option and save and apply to finish the policy configuration for your Office 1 RouterOS site.

Step 6: Policy Configurations for IPsec in Office 2 RouterOS Site

Repeat the above process in step 5 for the Office 2 RouterOS site, with attention to altered addresses and inputs. 

Head into the IP section and then to the Policies tab, and click on the plus sign. Now you will see the policies tab. Navigate to the general tab and enter the source code for Office 1 (10.10.11.0/24). In the port section, make no changes since we need all the ports to be open by default. 

In the address section, place the destination address (Office 2), which is:10.10.12.0/24. Go to the action tab and make sure the tunnel checkbox is ticked so that tunneling will be enabled. In the proposal tab, select the default option and save and apply to finish the policy configuration for your Office 2 RouterOS site.

Step 7: NAT Configuration for Office 1 RouterOS Site

Finally, in the final part of this guide, before establishing the connection itself, we need to configure the NAT for both Office 1 and Office 2 RouterOS sites, which we are going to connect as part of our RouterOS site-to-site VPN. This step will also be the same for both sites, with addresses and inputs varying. 

Head into the IP section once again and click on the firewall section, and then the NAT section. Here once again, click the plus sign to bring up the NAT rules tab. Head into the general tab and choose the srcnat option.

In the address input section called src.address, place the Office 1 LAN address, which corresponds to office 2: 10.10.11.0/24. Now in the address input called dst.address place the LAN address of office 2:10.10.12.0/24. Head into the action tab and accept the new changes. Save and apply. Now the NAT configuration for Office RouterOS site 1 is finished.

Step 8: NAT Configuration for Office 2 RouterOS Site

Repeat the same process for the Office 2 RouterOS site. Pay attention to the addresses.

Head into the IP section once again and click on the firewall section, and then the NAT section. Here once again, click the plus sign to bring up the NAT rules tab. Head into the general tab and choose the srcnat option.

In the address input section called src.address, place the Office 2 LAN address, which corresponds to office 1: 10.10.12.0/24. Now in the address input called dst.address place the LAN address of office 1:10.10.11.0/24. Head into the action tab and accept the new changes. Save and apply. Now the NAT configuration for Office RouterOS site 1 is finished.

Congratulations! You can now safely establish the connection between your two RouterOS sites and enjoy your very own Mikrotik site to site VPN!

Remote Access VPN vs. Site to Site VPN: Which One Is for You?

Choosing between a Remote Access VPN and a Site-to-Site VPN largely depends on your specific needs and network requirements.

Remote Access VPN is ideal if your primary goal is to encrypt your data and secure your internet connection. It is also suitable for individuals looking to bypass internet blocks and access geo-restricted content, such as specific Netflix libraries. This type of VPN provides a straightforward solution for users needing secure, remote access to a network from different locations.

Site-to-Site VPN, on the other hand, is better suited for connecting network resources between two fixed locations, such as between office branches. This VPN type essentially creates a “bridge” that allows multiple users in different fixed locations to access each other’s resources as if they were on the same local network. It’s particularly valuable for small to medium-sized businesses that need consistent, reliable network access across multiple offices. However, it’s important to note that as the number of sites increases, managing these VPN connections can become complex.

Site-to-Site VPNs also provide an advantage in environments where internet censorship targets typical VPN ports and servers, diminishing the effectiveness of standard VPN services. In such cases, the robust configuration options of Site-to-Site VPNs can offer more resilient connectivity.

Ultimately, if you’re a single user or have simple security needs, a basic Remote Access VPN like L2TP VPN will likely meet your requirements. For organizations with multiple office locations needing regular, seamless interconnectivity, a Site-to-Site VPN is the more appropriate choice. Each type has its benefits and is best suited to different operational contexts.

Conclusion 

So, here we are finally, with all the questions about site to site VPN, RouterOS, Mikrotic itself, and IPsec answered. If you found this guide useful or interesting and now want to start your own Mikrotik IPsec site to site VPN, chances are you have access to one network in your home or workplace but not a secondary one. In this scenario, our Mikrotik VPS is tailored to meet your needs. You’ll need to upload your own Mikrotik ISO, after which you can configure your own RouterOS client to suit your specific requirements. This setup will enable you to efficiently establish a site-to-site VPN with minimal hassle.

Our cloud VPS starts cheaply at only $4.95, and it allows you to connect to more than 15 different locations around the world, with excellent latency and security, diverse payment options such as Bitcoin and other cryptocurrencies, flexible billing, and a 7-day money-back guarantee to ensure you of the quality of the service.

FAQ

Is Site-to-Site VPN Secure?

Yes, a site-to-site VPN has a decent level of base security compared to normal VPNs. It establishes a protected network connection between two or more locations over the internet, enabling secure communications by encrypting data before it travels through a potentially unsafe network.

What is the Best Site to Site VPN Service?

While there are several reliable options out there such as Atlas, NordVPN, and IPVanish, Mikrotik site-to-site VPN is by far the most advanced and configurable of the bunch.

I look to bring back elegance and decency to the art of producing audience-friendly content, one article at a time.

Comments

Leave a Comment

Your email address will not be published. Required fields are marked *


Latest Posts