IPsec VPN between Mikrotik and Vigor Router

This article demonstrates how to set up an IPsec LAN-to-LAN between a Mikrotik router and a DrayTek Vigor Router.

Mikrotik Router Configuration

1. Create a new IPsec proposal: Go to IPsec >> Proposal, and add a new one.

1. Enter Name
2. Select md5 for Auth. Algorithms
3. Select 3des for Encr. Algorithms
4. Click OK to save the configuration

2. Peer configuration: Go to IPsec >> Peer, and add a new one.

1. Enter Address as Draytek's WAN IP.
2. Select Auth. Method to pre shared key, and enter Secret.
3. Select Hash Algorithm to md5, Encryption Algorithm to 3ces.
4. Click OK to save the configuration.

3. Policy configuration: Go to IPsec >> Policy, and add a new one. In General Tab:

1. Enter Src. Address as Mikrotik's LAN IP.
2. Enter Dst. Address as DrayTek's LAN IP.

4. In Action Tab:

1. Enable Tunnel
2. Set SA Src. Address as Mikrotik's WAN IP
3. Set SA Dst. Address as Draytek's WAN IP
4. As for Proposal, select the Proposal we just created
5. Click OK to save the configuration

5. NAT configuration: Go to Firewall >> NAT, and add a new rule. (Note: This rule must be the first rule in NAT Rules) In General Tab,

1. Select Chain as srcnat.
2. Set Dst. Address as the range of your destination network.
3. Select Out. Interface as a WAN interface, here we use ether1.　 　

6. In Action Tab:

1. Set Action to accept.
2. Click OK to save the configuration.

Vigor Router Configuration

1. Create a LAN-to-LAN profile: Go to VPN and Remote Access >> LAN to LAN. Click on an Index number to add a new profile.

1. Enter the Profile Name and Enable this profile.
2. Select Dial-out for Call Direction

2. In Dial-Out Settings:

1. Select Type of Sever I am calling as IPsec Tunnel.
2. Enter Mikrotik's Server IP or Host Name.
3. For IKE Authentication Method, choose Pre-Shared Key and enter the key.
4. For IPSEC Security Method, choose High(ESP), and select 3DES with Authentication.
5. Click on Advanced for the advanced setting.

3. In IKE advances settings: Set IKE phase 1 proposal Encryption to 3DES,ECDH Groupand to G2 and IKE phase 2 proposal to 3DES_MD5 as well.

Moreover, click OK.

4. In TCP/IP Network Settings:

1. Enter Remote Network IP as Mikrotik's LAN IP.
2. Enter Local Network IP as DrayOS's LAN IP.
3. Click OK to save the configuration.　 　

After the configuration above, the VPN will establish automatically. To check VPN connection status, Go to VPN and Remote Access >> Connection Management.