"Just some Random guy covering Mikrotik Configurations ....." Top 2% of Informational Videos on YT. You're not just covering but also explaining everything man GG.
Thanks for all great lessons :) You can add subscription $5 or $10, because now jumps from $1.99 to 20$ and nothing between. Cheers and keep up the excellent work!
6 months ago . I was very confueed being a new bee back then. But today i revisted . And i noticed you did a very beautifule job to this . Now i understood everything clearly . Check within ,you will see my previous comment when i eas a newbee . Thanks .
Thankyou very much! I've never used Mikrotik before and have a site to site IPSEC project coming up. You made this very simple to understand! Thanks again
This is by far the best ipsec guide for Mikrotik on TH-cam! I have had Mikrotik for years and never got the ipsec settings and firewall rules quite right. I learned alot! Thank you!
This helped me out so much for understanding everything. With a little more research I was able to make a script with variables and couple more options for lots of remote sites.
I Agree with Chris Wick it is the best ipsec guide I’have seen. Unfortuneatly it only shows when all goes well. In my case I got an error no proposal chosen in the log file. I checked and double checked and are problably overlooking someting. Some feed back on possible thinks that can go wrong would be appriciated. Thanks Michael
Just remember IPSEC is VERY sensitive and it takes TWO TO TANGO, even if all your configuration is correct on your side if the other end does not match correctly then the tunnel will also not come up. Your error does sound more like an issue with how the proposals were configured. I would suggest reviewing the proposals or posting your config with sensitive information hashed out on the MT forums or Reddit for further help.
@@TheNetworkBerg The tunnel is up . I can not access any hosts on either side of the tunnel. All ping’s to either the local address of each router or any host times out. I went over your execelent video 4 time made screen prints from the configurations of both routers. Compaired all the settings for correctness. Can’t find anyting on the web that would clearify or solve the the ping/ connection issue. I could send you a dropbox link with the configurtion of both routers.
@@TheNetworkBerg Weird, looks like my earlier comment was deleted - did I post something inappropriate? I previously (and with a lot of pain) set up a IPSEC S2S with DDNS on edgerouter and I don't recommend that to anyone who values their hair or time. A lot of undocumented stuff that has to be found and implemented. However, I would love to see a DDNS VPN setup in IPSEC, Wireguard, or VPN of your choice to link two home networks together, using Mikrotik routers as the primary gateway in both sites. Think vacation home, road warrior with a dynamic home IP, etc. Thank you!
@@constantin286 the only comment I have seen from you is the one that I replied to. TH-cam does sometimes tend to mark comments as inappropriate the moment you use stuff like hostnames or IP addresses. Probably as a means of combating spam/phishing attacks.
at the CLI for the peer @17:11 .he knew he was going to f..ked us up . and said dont worry guys ,it really not going to be that bad . and it went bad for newbies. 😂😂😂😂...nice job though my mentor 👍👍👍👍
The only thing I dislike about MikroTik IPSec tunnels, is that they don’t create a interface in which to easily create static or dynamic routes over. Currently have to use L2TP/IPsec tunnels or GRE/IPsec tunnels.
Yeah that is definitely a drawback, and another reason why so many people are prefering something like Wireguard on Mikrotik. It is strange because other vendors do tend to add a tunnel interface. It also makes understanding how traffic routes a bit more difficult since traffic being encrypted over the IPSEC tunnel does not show up in the routing table.
Any chance of doing a vid of multiple nat ipsec tunnels ? i.e. multiple offices connecting to a central office where each mikrotik sits behind a standard isp broadband router
Hey there, here's some of the reference material. Feel free to use it with the video to either get a better understanding of IPSEC or the different types of setups you can use this for :) As some people pointed out in the comments, you can view the IPSEC secret by exporting the configuration with the show-sensitive command. I have had never had to extract a key from a MikroTik so was not aware of it either. Thanks guys! What is IPSEC: www.cloudflare.com/learning/network-layer/what-is-ipsec/ MikroTik IPSEC Wiki: help.mikrotik.com/docs/display/ROS/IPsec Wiki Docs: en.wikipedia.org/wiki/IPsec#:~:text=In%20computing%2C%20Internet%20Protocol%20Security,virtual%20private%20networks%20(VPNs). en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Great video! Could be this be done if one of the routers don't have an ip reachable from the another router? Let's say Mikrotik A have a public IP on the wan interface and Mikrotik B just have a private IP on the wan interface.
@@TheNetworkBerg WONDERFUL, this was also a question of mine. Can you explain better, how to make this configuration without the reachable ip on both sides?
Great explanation This will be my favorite channel This is what I was looking for You are a beloved teacher Is it possible that the destination address is a virtual server (VPS) Is it possible to have the router ROS in a virtual server(vps) and the destination address in another virtual server(vps) ?
Nice demonstration one question is in my mind, is there we need to add any firewall rule in mikrotik top get ipsec goal ??? or in my case if A side is mikrotik and B side is Fortinet then???
Excellent explanation Master, thanks for the valuable tips, I applied it on an OCI server and managed to work correctly, but I have a problem, I have a vpn on RB1, when connecting via OpenVPN client I can't communicate with the Lan IP on the other side of the tunnel , I put VPN dhcp in policies sending it to my remote network, but I have no communication, do you have any idea how I could solve this?
Hi Man Thank you for the video. We did the same configuration on two of Mikrotik routers, step by step mentioned in this video. The tunnel is established but traffic is not being passed through the tunnel. The PC connected to each router can also not able to ping the other PC, connected with the 2nd router. And nor ping the LAN interface on other side routers. Please help me if I am missing something. Some configurations need to be done on the interfaces or in the routes before this IPsec configuration. Regards
I switched to wireguard but it's always nice to see your videos. Thx for the content. BTW, It is possible to export the secret with /ip ipsec/identity/export show-sensitive. Unfortunately we can't export system users' password this way.
Yeah wireguard is also a favorite of mine for MT to MT :D, though IPSEC is still pretty handy when connecting to another vendor, especially to firewalls like a FortiGate or Palo Alto. Thanks for the tip about show-sensitive, didn't even consider doing that while making the video.
Excellent video as always, you never let us down :D I don't know how is in other countries, but i have big trouble getting mikrotik devices... Switches, APs...
@@kresimirpecar4925 I think the chip shortages affects all vendors. Some networking gears are on backorder for months+. These are pretty crazy times we are living in.
@@TheNetworkBerg Yeah... Bad times indeed... On one site i have mikrotik router, ubiquiti switch and tp link AP... (Temporary setup, as eta on mikrotik gear is unknown...)
Hello TheNetworkBerg, thanks for your amazing videos. I have a question related to this configuration, is it safe enough to setup something like this on production?
Hello, did you ever tried to make two IPSEC connection between the Mikrotik devices for redundancy. I searched about this allot but didn't got the correct response as I wanted to make the setup between the Site A and Site B, my IPSEC tunnel is working fine but on the Site A there are two Mikrotik routers for redundancy, according to the requirement when one router goes down from Site A I need to achieve the connectivity via failover between two IPSEC tunnel. It will be great if you suggest something.
Hi, great videos. I created an IPSEC tunel via two HAP AC2 based on your video, everything works (ping, Win shares...), except Winbox over VPN tunnel. ROS 7.6 Any ideas? :) Thanks.
Great tutorial. I got the site to site VPN running by following your guide. However, I dont understand why is it recomended to use NAT instead of FW rule to accept the traffic from other site? Instead of NAT i made a basic input FW rule and it does the same thing as much as I understand. There isnt a need for network address translation, or maybe I'm missing something?
hi ur videos are great help to us .thank you for ur sharing and time . i have a small question in my ipsec address to other destination B i don't have a static ip i can use cloud ddns in mikrotik as address ? thank u
Hello The Network Berg, thanks for your amazing tutorials. I have a questions though, i have the same configuration like yours but the thing is that I have multiple IPSec tunnels HQ, site-a, site-b, site-c, i defined each site separately to HQ but i cannot ping site-a from b or c. Is there any suggestion you may give me? Thank you very much.
Most likely your issue is your IPSEC policies and what traffic gets encrypted. To run the setup as a hub and spoke you will have to update the IPSEC policies to encrypt all traffic between all site subnets per tunnel. Alternative would be to create a meshed setup where you run tunnels between the branches and just set encryption there.
Hi! At first very big thanks for the guide! Anyway... I made all like you, but my ping don't go throug... I checked my NAT rule and everything looks fine. Any idea?
Good video! Thanks - Question: what's the best way to turn off this created IPSEC tunnel, if you don't want it running all the time? Like an on/off switch.
You could just go to the "Peer" tab and disable a peer that you do not want active, to re-activate it you simply need to enable the peer again. "On/Off Switch" ;)
If I add an input accept rule, UDP protocol, all ports to FW Filter Rules, and under this rule I add an input drop rule, then pinging from network A to network B does not work. Do I then need to add a rule allowing pinging...?
Dear i have a problem on one router i have configured vlans and ipsec tunnel not passing the traffic to vlans how to achive that can you please help me out?
Hey Berg, works good for me thanks, just wondering if i add 5 sites, all need to connect back to my main site and maybe still see each other, do i just add profiles on the main RB for each of them, and just add main site to them all once?
It should just be a case of updating the P2 proposals and IPSEC policies to get that done via a "Hub" this is typically referred to as a hub and spoke topology. So in theory yes you can have all remote sites communicate via the main site with some tweaking to your IPSEC
Thanks for a new nice video. At 19:40 you say that you can not see the password and you need to set a new if you forget it. Not true. You can see the password with "export show-sensitive". You should also show the "public" ip at the design drawing at the beginning of the video. Also why use L2TP/IPSec, when it seems that you can do all with IPSec?
Thanks for the tips, yeah another viewer pointed out the show-sensitive command 😀 L2TP is still very useful for adding remote sites into a vrf as a virtual interface is added on the router for it, whereas IPSEC works on a logical level. They just have different practical uses. Though if you want to bring remote sites in via IPSEC that is definitely still an option.
Hello, it's not working if connecting to GCLOUD infrastucture, since the router is showing my wan address (172.x.x.x) instead of public address . My inet connection comes from another firewall, but it's natted 1:1 (wan address inet address). How can i tell the mikrotik to use the pubblic address instead of wan address?
Maybe I missed it, but is it possible to do this when only one side has a public IP address? For example, I want tunnel between my network and my parents, without them having to pay (and expose their network) for a public IP
Hello from Bulgaria, very good video, thanks Network Berg. I have a question, is it possible for a mobile device to connect to one of these two devices A or B and the condition is to freely reach the local networks of both devices A and B?
@@TheNetworkBerg I look forward to the video ! There is no adequate video on this topic in TH-cam. I managed to connect my android phone with router A on IKEv2, but unfortunately I can't tell him to reach the hosts connected to router B. With wireguard I achieve the same result, I see only the hosts in router A. :( Thanks a lot for the quick response !
i've added the NAT rules so the 2 netwroks connected by IPsec can communicate, even with this i get "no phase 2" unless i disable "drop all not coming from LAN" in the firewall, as far as i'm aware this is a big no-no but i cannot get IPsec to work without disabling this rule
For anyone with the same issue i fixed this by creating a firewall rule, accept input (src.address as remote lan) (dst. address as local lan) then i moved "drop all not coming from lan" to the bottom of the firewall list
Hi good work, I have followed these steps on a newly reset mikrotiks, But I am not able to ping the other side of the tunnel. The tunnel is established but no data through. Are there other firewall rules to be added?
Thanks for this great explanation, I have established an IPsec tunnel to my AWS using v6.47.7 and it worked ok, but using v7.5 it didn't. is there any reason why?
IPSEC itself cannot do L2VPN, however, you could use another protocol inside of an IPSEC tunnel to do that like VxLAN, though be forewarned that the overhead may be a bit much.
I set this up and the peer is active, but there is no routing between the networks. There is also no IP>Route added to handle this traffic. I don't understand how this is supposed to work.
Mikrotik does policy based VPN the VPN policy that you configure matched with the firewall is handling the routing. If you manage both ends of the tunnel I would suggest debugging both ends and seeing what is happening with the packets. You might need to just adjust some policies/rules or even have them in a n incorrect sequence
@@TheNetworkBerg I got it working eventually by adding some firewall rules, but in the end I abandoned this in favor of IPIP + IPsec. It is easier to understand for me since it creates an interface.
I tried tunnel between ROS 6 and ROS 7 and not working for me. Connection between routers is established (sha256 with aes256) but no TX and RX flow. I guess the problem is incompatibility between 6 and 7 version. Anyone with similar problem here?
Thank you so much for this video. Question: My tunnel says it's established, I added the Firewall rule you suggested. But I can't ping the other end LAN without adding a static route. That's not right is it?
"Just some Random guy covering Mikrotik Configurations ....." Top 2% of Informational Videos on YT. You're not just covering but also explaining everything man GG.
Thanks for all great lessons :) You can add subscription $5 or $10, because now jumps from $1.99 to 20$ and nothing between. Cheers and keep up the excellent work!
6 months ago . I was very confueed being a new bee back then. But today i revisted . And i noticed you did a very beautifule job to this . Now i understood everything clearly . Check within ,you will see my previous comment when i eas a newbee . Thanks .
Thankyou very much! I've never used Mikrotik before and have a site to site IPSEC project coming up. You made this very simple to understand! Thanks again
This is by far the best ipsec guide for Mikrotik on TH-cam! I have had Mikrotik for years and never got the ipsec settings and firewall rules quite right. I learned alot! Thank you!
Great IPSEC guide, thank you!
You officially are my IT professor! Amazing video , amazing content. Thank you that you are doing it for free.
Just perfect. Exact what you need for site-to-site tunnel, no bull$hits. Just exlcellent! Thank you bro!
You're welcome!
Amazing video, easy to understand, your ipsec guide is perfect. Thanks so much.
Appreciate the nice feedback
Thank You! Easy to understand!
Hy. Your explanations are nice to hear, easy to understand. Made my day.
I am happy if my video has made things a bit easier for you. Thanks for letting me know :)!
Thank you! Worked first try!
This helped me out so much for understanding everything. With a little more research I was able to make a script with variables and couple more options for lots of remote sites.
Sweet man! Thank you so much for this video!!!! You rock dude !
Great explanation, thank you so much 🙏🏼
Great Tutorial
I Agree with Chris Wick it is the best ipsec guide I’have seen. Unfortuneatly it only shows when all goes well. In my case I got an error no proposal chosen in the log file. I checked and double checked and are problably overlooking someting. Some feed back on possible thinks that can go wrong would be appriciated. Thanks Michael
Just remember IPSEC is VERY sensitive and it takes TWO TO TANGO, even if all your configuration is correct on your side if the other end does not match correctly then the tunnel will also not come up. Your error does sound more like an issue with how the proposals were configured. I would suggest reviewing the proposals or posting your config with sensitive information hashed out on the MT forums or Reddit for further help.
@@TheNetworkBerg The tunnel is up . I can not access any hosts on either side of the tunnel. All ping’s to either the local address of each router or any host times out. I went over your execelent video 4 time made screen prints from the configurations of both routers. Compaired all the settings for correctness. Can’t find anyting on the web that would clearify or solve the the ping/ connection issue. I could send you a dropbox link with the configurtion of both routers.
@@MiDiCur did you found any solution?
Thanks for such a nice and informative video, I am new to microtik but watching your videos taught me a lot thanks again
Great to hear!
IKEv2/IPSec server guide would be really good! :)
Extremely good!!! Thank you!
Thank you, your language accent are very clear, GG
Awesome..!! great content as always.!
Appreciate that, thank you :D!
Thank you for your series, they are amazing. I would love to see a similar IPSEC S2S tutorial with dynamic DNS endpoints on both sides.
Thanks for the idea! Will see what we can play around with using some scripting
@@TheNetworkBerg Weird, looks like my earlier comment was deleted - did I post something inappropriate? I previously (and with a lot of pain) set up a IPSEC S2S with DDNS on edgerouter and I don't recommend that to anyone who values their hair or time. A lot of undocumented stuff that has to be found and implemented. However, I would love to see a DDNS VPN setup in IPSEC, Wireguard, or VPN of your choice to link two home networks together, using Mikrotik routers as the primary gateway in both sites. Think vacation home, road warrior with a dynamic home IP, etc. Thank you!
@@constantin286 the only comment I have seen from you is the one that I replied to. TH-cam does sometimes tend to mark comments as inappropriate the moment you use stuff like hostnames or IP addresses. Probably as a means of combating spam/phishing attacks.
Top stuff. Thank you TNB for upload!
Thanks for all these great MT videos. Can we do a site-to-site between to hAP ax3 over ZeroTier? That could be a nice new video! 🙂
at the CLI for the peer @17:11 .he knew he was going to f..ked us up . and said dont worry guys ,it really not going to be that bad . and it went bad for newbies. 😂😂😂😂...nice job though my mentor 👍👍👍👍
Very nice video
You are Amazing. Your video is helped me. Than you so much
very best, your a nice profesor
Thank you! 😃
Great video... *subscribed ... ;)
Hi There, you forgot the show the part of inputting the default routes pointing to each site, good video, thanks
Awsome video, Thanks
Glad you liked it!
Connection established, firewall rules up but no ping between routers!
Only when I add new route on MK ping start
Great video, thank you
The only thing I dislike about MikroTik IPSec tunnels, is that they don’t create a interface in which to easily create static or dynamic routes over. Currently have to use L2TP/IPsec tunnels or GRE/IPsec tunnels.
Yeah that is definitely a drawback, and another reason why so many people are prefering something like Wireguard on Mikrotik. It is strange because other vendors do tend to add a tunnel interface. It also makes understanding how traffic routes a bit more difficult since traffic being encrypted over the IPSEC tunnel does not show up in the routing table.
tks. save my life man!
Happy to help
Thank you Very much for your video about IPSEC!
Excellent guide, thank you! Question: Can 2 devices that are on the same LAN (same IP) connect on the same L2TP/IPsec vpn server at the same time?
AWESOME! Thanks
Which site is the host and which is the client , technically? And could you do a video where it is a Site-to-client?
nice man , welldone.
i had to add a firewall filter rule to make phase 2 establish: accept, input, Protocol 17 udp, destination port 4500. idk why.
Any chance of doing a vid of multiple nat ipsec tunnels ? i.e. multiple offices connecting to a central office where each mikrotik sits behind a standard isp broadband router
Hey, Network Berg, can you make tutorial on road warrior setup for IPSec as well. Just like you did with WireGuard. Thanks
Hey there, here's some of the reference material. Feel free to use it with the video to either get a better understanding of IPSEC or the different types of setups you can use this for :)
As some people pointed out in the comments, you can view the IPSEC secret by exporting the configuration with the show-sensitive command. I have had never had to extract a key from a MikroTik so was not aware of it either. Thanks guys!
What is IPSEC:
www.cloudflare.com/learning/network-layer/what-is-ipsec/
MikroTik IPSEC Wiki:
help.mikrotik.com/docs/display/ROS/IPsec
Wiki Docs:
en.wikipedia.org/wiki/IPsec#:~:text=In%20computing%2C%20Internet%20Protocol%20Security,virtual%20private%20networks%20(VPNs).
en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol
en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
In which cases is worth using IPSEC over Wireguard...and the other way round? Thanks
@jeytis72 I think wiregauard has a preferred throughput. Over ipsec .he did a video on different vpn. But both are very secure .
good hack, good job man
Muchas gracias funciona perfectamente.
Awesome 😎!
Great video! Could be this be done if one of the routers don't have an ip reachable from the another router? Let's say Mikrotik A have a public IP on the wan interface and Mikrotik B just have a private IP on the wan interface.
Yes it can be done in this manner as long as NAT-T is running you should be able to create a type of "dialup" VPN.
@@TheNetworkBerg
WONDERFUL, this was also a question of mine. Can you explain better, how to make this configuration without the reachable ip on both sides?
Great explanation This will be my favorite channel This is what I was looking for You are a beloved teacher Is it possible that the destination address is a virtual server (VPS)
Is it possible to have the router ROS in a virtual server(vps) and the destination address in another virtual server(vps) ?
Thanks
Nice demonstration
one question is in my mind, is there we need to add any firewall rule in mikrotik top get ipsec goal ???
or in my case if A side is mikrotik and B side is Fortinet then???
Hello, this really help me a lot! Thank you! But i have a problem or question, why I can't map a network drive? even though i can ping the NAS device?
Excellent explanation Master, thanks for the valuable tips, I applied it on an OCI server and managed to work correctly, but I have a problem, I have a vpn on RB1, when connecting via OpenVPN client I can't communicate with the Lan IP on the other side of the tunnel , I put VPN dhcp in policies sending it to my remote network, but I have no communication, do you have any idea how I could solve this?
good job
Hi Man
Thank you for the video. We did the same configuration on two of Mikrotik routers, step by step mentioned in this video. The tunnel is established but traffic is not being passed through the tunnel. The PC connected to each router can also not able to ping the other PC, connected with the 2nd router. And nor ping the LAN interface on other side routers.
Please help me if I am missing something. Some configurations need to be done on the interfaces or in the routes before this IPsec configuration.
Regards
i faced the same issue!
Hi, I also have the same problem, did you manage to solve it?
I switched to wireguard but it's always nice to see your videos. Thx for the content.
BTW, It is possible to export the secret with /ip ipsec/identity/export show-sensitive.
Unfortunately we can't export system users' password this way.
Yeah wireguard is also a favorite of mine for MT to MT :D, though IPSEC is still pretty handy when connecting to another vendor, especially to firewalls like a FortiGate or Palo Alto. Thanks for the tip about show-sensitive, didn't even consider doing that while making the video.
Excellent video as always, you never let us down :D I don't know how is in other countries, but i have big trouble getting mikrotik devices... Switches, APs...
@@kresimirpecar4925 I think the chip shortages affects all vendors. Some networking gears are on backorder for months+. These are pretty crazy times we are living in.
@@TheNetworkBerg Yeah... Bad times indeed... On one site i have mikrotik router, ubiquiti switch and tp link AP... (Temporary setup, as eta on mikrotik gear is unknown...)
Hello TheNetworkBerg, thanks for your amazing videos. I have a question related to this configuration, is it safe enough to setup something like this on production?
Hello, did you ever tried to make two IPSEC connection between the Mikrotik devices for redundancy. I searched about this allot but didn't got the correct response as I wanted to make the setup between the Site A and Site B, my IPSEC tunnel is working fine but on the Site A there are two Mikrotik routers for redundancy, according to the requirement when one router goes down from Site A I need to achieve the connectivity via failover between two IPSEC tunnel. It will be great if you suggest something.
Hi, great videos. I created an IPSEC tunel via two HAP AC2 based on your video, everything works (ping, Win shares...), except Winbox over VPN tunnel. ROS 7.6 Any ideas? :) Thanks.
Great tutorial. I got the site to site VPN running by following your guide. However, I dont understand why is it recomended to use NAT instead of FW rule to accept the traffic from other site? Instead of NAT i made a basic input FW rule and it does the same thing as much as I understand. There isnt a need for network address translation, or maybe I'm missing something?
hi ur videos are great help to us .thank you for ur sharing and time . i have a small question in my ipsec address to other destination B i don't have a static ip i can use cloud ddns in mikrotik as address ? thank u
How do I build a virtual lab like yours. please do a video tutorial
subscribed
thanks for videos. do we need to do any port forwarding in modem
the problem, from lan under mikrotik 2 , i can ping to lan under mikrotik 1, but from lan mikrotik 1 i can't ping to lan from mikrotik 2.
Hello The Network Berg, thanks for your amazing tutorials.
I have a questions though, i have the same configuration like yours but the thing is that I have multiple IPSec tunnels HQ, site-a, site-b, site-c, i defined each site separately to HQ but i cannot ping site-a from b or c. Is there any suggestion you may give me? Thank you very much.
Most likely your issue is your IPSEC policies and what traffic gets encrypted. To run the setup as a hub and spoke you will have to update the IPSEC policies to encrypt all traffic between all site subnets per tunnel.
Alternative would be to create a meshed setup where you run tunnels between the branches and just set encryption there.
How can I use DDns to configure the remote site public adresse? Did you have some exemple? Tank you. Great vidéo!
Great question....
I know there must be a way to use a name...
Something changes in ROS 7.7, my configs dont work after an update, looks all fine, but no data transfer.
Hi as jy weer terug van verlog is kan jy asb help ek het tunnel configure en hy se established maar ek sien geen data flow nie
Hi! At first very big thanks for the guide!
Anyway... I made all like you, but my ping don't go throug... I checked my NAT rule and everything looks fine. Any idea?
I don't get it why you don't create any IPIP tunnel first or GRE etc? Is it necessary?
Good video! Thanks - Question: what's the best way to turn off this created IPSEC tunnel, if you don't want it running all the time? Like an on/off switch.
You could just go to the "Peer" tab and disable a peer that you do not want active, to re-activate it you simply need to enable the peer again. "On/Off Switch" ;)
@@TheNetworkBerg OK - Thanks
If I add an input accept rule, UDP protocol, all ports to FW Filter Rules, and under this rule I add an input drop rule, then pinging from network A to network B does not work. Do I then need to add a rule allowing pinging...?
Dear i have a problem on one router i have configured vlans and ipsec tunnel not passing the traffic to vlans how to achive that can you please help me out?
pls show how to setup mikrotik to edgerouter ipsec
please create a video for azure site to site
Just followed every step, connection established but cant ping gateways or any host both ways. Anyone with a clue what would be wrong? ROS 7.7
Hey Berg, works good for me thanks, just wondering if i add 5 sites, all need to connect back to my main site and maybe still see each other, do i just add profiles on the main RB for each of them, and just add main site to them all once?
It should just be a case of updating the P2 proposals and IPSEC policies to get that done via a "Hub" this is typically referred to as a hub and spoke topology. So in theory yes you can have all remote sites communicate via the main site with some tweaking to your IPSEC
Thanks for a new nice video. At 19:40 you say that you can not see the password and you need to set a new if you forget it. Not true. You can see the password with "export show-sensitive". You should also show the "public" ip at the design drawing at the beginning of the video. Also why use L2TP/IPSec, when it seems that you can do all with IPSec?
Thanks for the tips, yeah another viewer pointed out the show-sensitive command 😀 L2TP is still very useful for adding remote sites into a vrf as a virtual interface is added on the router for it, whereas IPSEC works on a logical level. They just have different practical uses. Though if you want to bring remote sites in via IPSEC that is definitely still an option.
Hello, it's not working if connecting to GCLOUD infrastucture, since the router is showing my wan address (172.x.x.x) instead of public address . My inet connection comes from another firewall, but it's natted 1:1 (wan address inet address). How can i tell the mikrotik to use the pubblic address instead of wan address?
Maybe I missed it, but is it possible to do this when only one side has a public IP address? For example, I want tunnel between my network and my parents, without them having to pay (and expose their network) for a public IP
Hello from Bulgaria, very good video, thanks Network Berg.
I have a question, is it possible for a mobile device to connect to one of these two devices A or B and the condition is to freely reach the local networks of both devices A and B?
Yes, although I think I might have a better solution with Wireguard. Video on that will be live later today :)
@@TheNetworkBerg I look forward to the video ! There is no adequate video on this topic in TH-cam.
I managed to connect my android phone with router A on IKEv2, but unfortunately I can't tell him to reach the hosts connected to router B.
With wireguard I achieve the same result, I see only the hosts in router A. :( Thanks a lot for the quick response !
Ping and speed test don't work between routers!!! What firewall rule enables Microtik router ping and speed test after this setup?
i've added the NAT rules so the 2 netwroks connected by IPsec can communicate, even with this i get "no phase 2" unless i disable "drop all not coming from LAN" in the firewall, as far as i'm aware this is a big no-no but i cannot get IPsec to work without disabling this rule
I created a firewall rule to allow from my public IP but still stuck on no phase 2
For anyone with the same issue i fixed this by creating a firewall rule, accept input (src.address as remote lan) (dst. address as local lan) then i moved "drop all not coming from lan" to the bottom of the firewall list
Hi good work, I have followed these steps on a newly reset mikrotiks, But I am not able to ping the other side of the tunnel. The tunnel is established but no data through. Are there other firewall rules to be added?
Did You found a solution for that?
Support Mikrotik route based ipsec tunnel?
do we need static public ip for this lab?
Thanks for this great explanation,
I have established an IPsec tunnel to my AWS using v6.47.7 and it worked ok, but using v7.5 it didn't.
is there any reason why?
Me too. On v7.5 not work.
Hi, I also have the same problem, did you manage to solve it?
In ipsec peer section do we need static ip addresses??
Like you entered 172....
Can layer 2 vpn be performed using ipsec? if so can there be a part two to this video?
IPSEC itself cannot do L2VPN, however, you could use another protocol inside of an IPSEC tunnel to do that like VxLAN, though be forewarned that the overhead may be a bit much.
I set this up and the peer is active, but there is no routing between the networks. There is also no IP>Route added to handle this traffic. I don't understand how this is supposed to work.
Mikrotik does policy based VPN the VPN policy that you configure matched with the firewall is handling the routing. If you manage both ends of the tunnel I would suggest debugging both ends and seeing what is happening with the packets. You might need to just adjust some policies/rules or even have them in a n incorrect sequence
@@TheNetworkBerg I got it working eventually by adding some firewall rules, but in the end I abandoned this in favor of IPIP + IPsec. It is easier to understand for me since it creates an interface.
can i use internet from site "b" ?
I tried tunnel between ROS 6 and ROS 7 and not working for me. Connection between routers is established (sha256 with aes256) but no TX and RX flow. I guess the problem is incompatibility between 6 and 7 version. Anyone with similar problem here?
hi sir. does this work lets say my VPN Server has Static WAN . but the 20 branches has dynamic WAN ip addresses?
Thank you so much for this video. Question: My tunnel says it's established, I added the Firewall rule you suggested. But I can't ping the other end LAN without adding a static route. That's not right is it?
I am using ether6 for my tunnel. I'm not using ether1 the WAN port. I guess that's what's messing me up?
Do we need static public address for peers on both sides??
Router is establishing peer with it self not with that of other router I'm confused 😭
public ip is needed to establish site to site. dynamic ips always hv issues with NATTING
can we use the same setting for road warrior vpn? if not can you make a video about setting mikrotik as road warrior ipsec vpn server?
Sort of, though there are some tweaks so I definitely will create another video on a Road Warrior setups
Hello. Can I use ddns at the cloud section as the destination address?
Hi Berg, i set a vpn to be able to Transfer backup files, the speed is only 1MbPS it takes forever to send my backup, any advise?
@AminDayekh are you using a CHR? Is it licensed? If not the speed is capped at 1Mbps.
IPsec site to site , can config site A public ip and site private ip ?