http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

http://wiki.mikrotik.com/wiki/MikroTik_router_to_CISCO_PIX_Firewall_IPSEC

Important note: You must allow the IPSec traffic through your firewall for a connection to be established. See Firewall section below.

Diagram: http://gregsowell.com/?p=787

Video for Diagram: http://gregsowell.com/wink/mtklan2lan/mtklan2lan.swf

From the Mikrotik Wiki: http://wiki.mikrotik.com/wiki/IPsec#Site_to_Site_IpSec_Tunnel

On each Mikrotik router:

• Peer Definition and Authentication Identity
  • Phase 1
• Policy Definition
  • Phase 2
• Proposal
  • Settings used in Phase 2
  • Cisco Transform Set
  • Default proposal and default profile in your identity will result in SHA1-AES-CBC with 128-bit encryption
    • Very fast but less secure than SHA256-AES-CBC with 256-bit encryption
    • Many Mikrotik routers support hardware acceleration of SHA256-AES-CBC with 256-bit encryption
• NAT Bypass Rule
  • S2S traffic won't pass until done

Modify these for your networks and paste them at the CLI of both routers:

Note that older ROS had the default proposal with 3DES encryption while newer versions have AES.

You need to use SHA1 or SHA256 with AES-CBC to take advantage of hardware encryption in most Mikrotik routers. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration

Note that we use /32 instead of the actual subnet mask of the WAN interfaces for simplicity and security. Use the proper subnet masks for the subnets behind the routers.

:global Site1Name "YourSite1Name"
:global Router1WanAddr "192.168.90.1"
:global Router1WanCidr "192.168.90.1/32"
:global SubnetBehindRouter1 "10.1.202.0/24"

:global Site2Name "YourSite2Name"
:global Router2WanAddr "192.168.80.1"
:global Router2WanCidr "192.168.80.1/32"
:global SubnetBehindRouter2 "10.1.101.0/24"

:global PreSharedKey "YourPreSharedKey"

Paste this into the CLI of router 1:

# Peer Definition
/ip ipsec peer
  add address=$Router2WanCidr name=$Site2Name profile=default

# Peer Identity
/ip ipsec identity
add peer=$Site2Name secret=$PreSharedKey

# Policy Definition
/ip ipsec policy
add dst-address=$SubnetBehindRouter2 sa-dst-address=$Router2WanAddr sa-src-address=$Router1WanAddr \
  src-address=$SubnetBehindRouter1 peer=$Site2Name tunnel=yes

# NAT bypass rule
/ip firewall nat
  add chain=srcnat action=accept comment="NAT Bypass for $Site2Name VPN" place-before=0 \
  src-address=$SubnetBehindRouter1 dst-address=$SubnetBehindRouter2

# Cleanup
/system script environment
  remove Site1Name
  remove Router1WanAddr
  remove Router1WanCidr
  remove SubnetBehindRouter1
  remove Site2Name
  remove Router2WanAddr
  remove Router2WanCidr
  remove SubnetBehindRouter2
/

Paste this into the CLI of router 2:

# Peer Definition
/ip ipsec peer
  add address=$Router1WanCidr name=$Site1Name profile=default

# Peer Identity
/ip ipsec identity
add peer=$Site1Name secret=$PreSharedKey

# Policy Definition
/ip ipsec policy
add dst-address=$SubnetBehindRouter1 sa-dst-address=$Router1WanAddr sa-src-address=$Router2WanAddr \
  src-address=$SubnetBehindRouter2 peer=$Site1Name tunnel=yes

# NAT bypass rule
/ip firewall nat
  add chain=srcnat action=accept comment="NAT Bypass for $Site1Name VPN" place-before=0 \
  src-address=$SubnetBehindRouter2 dst-address=$SubnetBehindRouter1

# Cleanup
/system script environment
  remove Site1Name
  remove Router1WanAddr
  remove Router1WanCidr
  remove SubnetBehindRouter1
  remove Site2Name
  remove Router2WanAddr
  remove Router2WanCidr
  remove SubnetBehindRouter2
/

Try to bring up the tunnel by pinging a host (IP) from one LAN subnet to the other. You must send traffic through the tunnel for it to be established.

Important note: While the router will properly route traffic between the LANs at this point, the router itself does not have a route to the remote subnet. If you need the router itself (i.e. netwatch, etc.) to be able to access the remote subnet, you will have to add a route:

/ip route add disabled=no dst-address=<CidrBehindRemoteRouter> gateway=<LocalLanIF>

For example where the remote subnet is 192.168.0.0/24 and the local LAN interface is bridge1:

/ip route add disabled=no dst-address=192.168.0.0/24 gateway=bridge1

https://mivilisnet.wordpress.com/2020/07/06/mikrotik-site-to-site-ipsec-when-one-router-has-a-dynamic-wan-ip-address/

In this example, this router has two LAN subnets behind it.

/ip ipsec peer
add name=peername passive=yes
/ip ipsec identity
add peer=peername secret=yourpresharedkey
/ip ipsec policy
set 0 disabled=yes
add comment="Destination and Source LAN Subnets" dst-address=192.168.20.0/24 peer=peername src-address=\
    192.168.0.0/24 tunnel=yes
add comment="Additional LAN Subnet Behind This Router" dst-address=192.168.20.0/24 peer=peername src-address=\
    192.168.2.0/24 tunnel=yes

This router has a single LAN subnet behind it.

/ip ipsec peer
add address=123.123.123.123/32 name=peer-with-static-ip-name
/ip ipsec identity
add peer=peer-with-static-ip-name secret=yourpresharedkey
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.0.0/24 peer=peer-with-static-ip-name src-address=192.168.20.0/24 tunnel=yes
add dst-address=10.10.1.0/24 peer=peer-with-static-ip-name src-address=192.168.20.0/24 tunnel=yes

The rest of this section needs verification

http://hawk82.blogspot.com/2014/11/site-to-site-ipsec-vpn-using-mikrotik.html

On the router with a dynamic address, add the following script to update the VPN policy:

add name=update_ipsec_pol_dyn_ip policy=read,write,test \
    source="# Script to update the IPSec policies in case of a dynamic IP address change\r\
    \n#\r\
    \n:log info \"Running IPSec policy update script for dynamic IP change\"\r\
    \n:log info \"WAN interface is ether1\"\
    \n:local WANip [/ip address get [find interface=\"ether1\"] address]\
    \n:log info \"Interface IP is \$WANip\"\
    \n:local WANip [:pick \"\$WANip\" 0 ([:len \$WANip] - 3)]\
    \n:log info \"IP sans the slash notation is \$WANip\"\
    \n/ip ipsec policy set 0 sa-src-address=\$WANip\
    \n# If you have multiple policies for the same connection, add more lines\
    \n# You might need this if you have multiple IP subnets behind the remote peer\
    \n/ip ipsec policy set 1 sa-src-address=\$WANip"

Check status:

/ip ipsec remote-peers print
/ip ipsec installed-sa print
/ip ipsec statistics print
/ip ipsec policy print stats

1. Add an additional policy for the additional subnet to both routers similar to the first.
2. Additionally, you must add an additional NAT bypass rule to both routers.

/ip ipsec remote-peers kill-connections

The tunnel will not necessarily come up on its own. Traffic destined for the remote network will bring the tunnel up automatically.

System → Logging → Add → Topics → IPSec → Memory

IPSec Firewall Rules: https://jcutrer.com/howto/networking/mikrotik/firewall-ruleset-ipsec-whitelisting

http://forum.mikrotik.com/viewtopic.php?f=2&t=79151

http://superuser.com/questions/679236/mikrotik-firewall-rule-block-all-connection-except-to-vpn-server

L2TP/IPSec uses:

• TCP port 1701
  • L2TP
• UDP port 500
  • Internet Security Association and Key Management Protocol (ISAKMP)
  • To negotiate security method (password, certificate, kerberos)
• AH (Protocol ID 50)
  • Authentication Header
• ESP (Protocol ID 51)
  • Encapsulated Secure Payload
• UDP Port 4500
  • NAT Traversal (NAT-T)

Accept L2TP/IPSec:

These rules could be further limited by interface and/or source address.

/ip firewall filter
  add chain=input action=accept in-interface=ether1 protocol=tcp dst-port=1701 \
    place-before=0 comment="Accept L2TP"
  add chain=input action=accept in-interface=ether1 protocol=udp dst-port=500 \
    place-before=0 comment="Accept IPSec (ISAKMP)"
  add chain=input action=accept in-interface=ether1 protocol=ipsec-esp \
    place-before=0 comment="Accept IPSec (ESP)"
  add chain=input action=accept in-interface=ether1 protocol=ipsec-ah \
    place-before=0 comment="Accept IPSec (AH)"