Setting Up a Secure IPsec Tunnel on MikroTik VPS
Site to Site IPsec on MikroTik VPS provides a secure and encrypted connection between geographically distributed branch offices, which enables seamless network communication over the public internet.
Organizations running multiple locations can use an affordable way to link their networks without paying for expensive private lines. MikroTik’s RouterOS IPsec offers high-level security with standard encryption algorithms, which makes it ideal for businesses hosting their infrastructure on virtual private servers.
In this guide, you will learn to configure a complete branch-to-branch IPsec tunnel template using MikroTik VPS hosting infrastructure.
Table of Contents
Network Architecture and IP Setup for Site to Site IPsec on MikroTik VPS
Before you start configuring Site to Site IPsec on MikroTik VPS, it is recommended to visualize how the networks communicate. In this guide, we want to connect two separate office locations, including Branch A and Branch B.
Each branch has a private LAN for internal devices and a static Public IP address to connect to the internet. The IPsec tunnel will act as a bridge, which allows devices in Branch A to talk to devices in Branch B securely, as if they were in the same building.
We will use the following IP addresses for this configuration:
Branch A (Site A):
- Public IP: 203.0.113.1
- Local Network: 192.168.1.0/24
- Router Interface: ether1 (WAN), bridge1 (LAN)
Branch B (Site B):
- Public IP: 203.0.113.2
- Local Network: 192.168.2.0/24
- Router Interface: ether1 (WAN), bridge1 (LAN)
Note: Replace the Public IPs above with the actual IP addresses provided by your MikroTik VPS hosting provider, like PerLod Hosting, and ensure your LAN subnets do not overlap.
Once you are done, proceed to the next steps to configure the site to site IPsec on Mikrotik VPS.
MikroTik IPsec Configuration for Branch A
At this point, you can configure the router at Branch A. You must define how encryption is handled, create a secure peer connection, and tell the router which traffic to send through the tunnel.
Note: Since IPsec requires identical settings on both sides, take note of the encryption and authentication values you choose here; you will need them to be the same for Branch B.
You can create an IPsec profile with:
/ip ipsec profile
add name=branch-profile hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 nat-traversal=yesThis IPsec profile defines phase 1 encryption parameters:
- sha256 for hashing
- aes-256 for encryption
- modp2048 for Diffie-Hellman key exchange
Then, you can create an IPsec proposal with:
/ip ipsec proposal
add name=branch-proposal auth-algorithms=sha256 encr-algorithms=aes-256-cbc pfs-group=modp2048This specifies phase 2 parameters for the actual data encryption. The pfs-group=modp2048 enables Perfect Forward Secrecy.
Now, you must define the remote peer using Branch B’s public IP address. To configure an IPsec peer, you can use:
/ip ipsec peer
add address=203.0.113.2 profile=branch-profile exchange-mode=main local-address=203.0.113.1The exchange-mode=main provides identity protection during negotiation.
In this step, you must create an IPsec Policy with:
/ip ipsec policy
add src-address=192.168.1.0/24 dst-address=192.168.2.0/24 sa-src-address=203.0.113.1 sa-dst-address=203.0.113.2 tunnel=yes action=encrypt proposal=branch-proposalThis policy defines which traffic gets encrypted:
- Traffic from Branch A’s local network to Branch B’s network.
- The sa-src-address and sa-dst-address specify the tunnel endpoints using public IPs.
NAT bypass prevents source NAT from being applied to IPsec traffic. To configure NAT Bypass, you can use:
/ip firewall nat
add chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24 place-before=0The place-before=0 ensures this rule processes before masquerade rules.
MikroTik IPsec Configuration for Branch B
Now that Branch A is ready, we need to configure the router at Branch B to match it. The settings are the same as those of Branch A; the only difference is that we swap the source and destination IP addresses to point back to Branch A.
Create IPsec Profile:
/ip ipsec profile
add name=branch-profile hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 nat-traversal=yesUse profile settings as Branch A for successful negotiation.
Create IPsec Proposal:
/ip ipsec proposal
add name=branch-proposal auth-algorithms=sha256 encr-algorithms=aes-256-cbc pfs-group=modp2048Proposal parameters must match Branch A exactly.
Configure IPsec Peer, which points to Branch A’s public IP as the remote peer:
/ip ipsec peer
add address=203.0.113.1 profile=branch-profile exchange-mode=main local-address=203.0.113.2Add Pre-Shared Key from Branch A:
/ip ipsec identity
add peer=branch-profile secret=YourStrongPreSharedKey123Create an IPsec Policy, which mirrors Branch A but with reversed source and destination networks:
/ip ipsec policy
add src-address=192.168.2.0/24 dst-address=192.168.1.0/24 sa-src-address=203.0.113.2 sa-dst-address=203.0.113.1 tunnel=yes action=encrypt proposal=branch-proposalConfigure NAT Bypass to prevent NAT from interfering with IPsec traffic on Branch B:
/ip firewall nat
add chain=srcnat action=accept src-address=192.168.2.0/24 dst-address=192.168.1.0/24 place-before=0Verify MikroTik IPsec Tunnel Connection
Now that both routers are configured for sit to site IPsec on MikroTik VPS, you must confirm the VPN is active and passing traffic. Use the following commands to validate the tunnel status and ensure the connection is stable.
Check the IPsec status with the command below:
/ip ipsec installed-sa printThis displays active Security Associations (SAs) showing encrypted tunnel status. You must look for established SAs with matching source and destination addresses.
Verify Policy status with the command below:
/ip ipsec policy printConfirm that policies show ph2-state=established, including successful Phase 2 negotiation.
Test connectivity with the following command:
/ping 192.168.2.1 src-address=192.168.1.1You must ping from Branch A’s local network to Branch B’s network. Successful replies confirm the tunnel is functioning.
This site to site IPsec on MikroTik VPS configuration creates a secure and encrypted tunnel between two branch offices, which enables seamless network communication over the internet.
FAQs
Why can’t I ping the remote LAN even though the IPsec tunnel is active?
This is usually a firewall or NAT issue. Ensure you have added the NAT Bypass rule before your masquerade rule. Also, check that the receiving router’s firewall allows input traffic from the remote local subnet.
How does MikroTik IPsec affect internet speed?
Encryption uses CPU power. To avoid slow speeds on smaller plans, make sure your VPS supports hardware encryption (AES-NI).
Can I use a dynamic IP for one of the branches in MikroTik IPsec setup?
Yes, but it is complicated. You need to use a script or Mode Config to update the IP automatically. For a stable connection, we highly recommend using static IPs from your MikroTik VPS hosting provider instead.
Conclusion
Setting up a sit to site IPsec on MikroTik VPS is one of the most reliable ways to bridge geographically separated networks. By following this branch-to-branch template, you have created a secure and encrypted tunnel that allows your offices to communicate as if they were in the same building.
For a stable VPN, ensure your settings match exactly on both routers. If the connection fails, double-check that your Proposals, Profiles, and Pre-Shared Keys are identical.
With this complete setup, your infrastructure is secure and ready to scale.
Note: This guide covers a branch-to-branch connection. For multiple branches, you would configure one central VPS as the Hub and have all other branches connect to it. You need to repeat the Peer and Policy configurations for each new branch on the Hub router.
We hope you enjoy this guide. Subscribe to our X and Facebook channels to get the latest updates and articles on MikroTik VPS Hosting.
