IPsec VPN between Mikrotik(RouterOS v6.47) and Vigor Router

This article demonstrates how to set up an IPsec LAN-to-LAN between a Mikrotik Router (RouterOS v6.47) and a DrayTek Vigor Router.

Before setup the IPsec VPN:

On Mikrotik Router, Go to IP >> Address, Set up and check the LAN IP.

Mikrotik Router Configuration

1. Go to IP >> IPsec >> Proposals

1. Click Enabled
2. Enter Profile Name
3. Select sha1 for Auth. Algorithms
4. Select des, 3des, aes-128 cbc, aes-192 cbc, aes-256 cbc for Encr. Algorithms
5. Select modp 1024 for PFS Group
6. Click OK

2. Go to IP >> IPsec >> Policies

1. Create a file and click Enabled
2. Enter the Mikrotik Router LAN Network for Src. Address
3. Enter the DrayTek Router LAN Network for Dst. Address
4. Select encrypt for Action
5. Select esp for IPsec Protocols
6. Select the proposal you just set up at the Step 1
7. Click OK

4. Go to IP >> IPsec >> Peers

1. Click Enabled
2. Enter your profile Name
3. Enter Mikrotik Router WAN IP for Local Address
4. Select the Profile you set up at Step 3
5. Select main for Exchange Mode
6. Enable Passive
7. Enable SEND INITIAL_CONTACT
8. Click OK

5. Go to IP >> IPsec >> Identities

1. Click Enabled
2. Select the Peer you set up at Step 4
3. Select pre shared key for Auth. Method
4. Enter your password of pre-shared key for Secret
5. Select remote id for Match By
6. Select port override for Generate Policy
7. Click OK

6. Go to IP >> Firewall >> Filter Rules

Rule 1:

1. Click Enabled
2. Select forward
3. Enter Draytek Router LAN Network for Src. Address
4. Enter Mikrotik Router LAN Network for Dst. Address
5. Select established, related for Connection State
6. Select accept for Action
7. Click OK

Rule 2:

1. Click Enabled
2. Select forward
3. Enter Mikrotik Router LAN Network for Src. Address
4. Enter Draytek Router LAN Network for Dst. Address
5. Select established, related for Connection State
6. Select accept for Action
7. Click OK

Draytek Router Configuration

1. Go to VPN and Remote Access >> LAN to LAN, and select any available Index.

2. In profile Index,

Common Settings

1. Enter your profile Name
2. Enable this profile
3. Select your WAN interface to dial out VPN
4. Select Dial-out
5. (optional) Enable Always on

Dial-Out Settings

1. Select IPsec Tunnel and IKEv1
2. Enter the Mikrotik Router WAN IP or Host Name for Server IP
3. Enter the pre-shared key you set on Mikrotik Router.
4. Click Advanced
5. Select Main mode
6. Select AES128 for phase 1 proposal Encryption
7. Select G2 for phase 1 proposal ECDH Group
8. Select SHA1 for phase 1 proposal Authentication
9. Select AES128_SHA1 for phase 2 proposal
10. Set 86400 seconds as phase 1 key lifetime (due to Mikrotik site set it as 1 day)
11. Set 2700 seconds as phase 2 key lifetime (due to Mikrotik site set it as 45 minutes)
12. Enable Perfect Forward Secret
13. Click OK

TCP/IP Network Settings

1. Enter the Mikrotik Router LAN Network for Remote Network IP
2. Enter the Draytek Router LAN Network for Remote Network IP
3. Select Route
4. Click OK

3. Click Dial and the VPN will be connected.