IPsec VPN between Mikrotik(RouterOS v6.47) and Vigor Router

This article demonstrates how to set up an IPsec LAN-to-LAN between a Mikrotik Router (RouterOS v6.47) and a DrayTek Vigor Router.

a screenshot of DrayOS IPsec Remote Dial-in user setup

Before setup the IPsec VPN:

On Mikrotik Router, Go to IP >> Address, Set up and check the LAN IP.

a screenshot of DrayOS IPsec Remote Dial-in user setup

Mikrotik Router Configuration

1. Go to IP >> IPsec >> Proposals

  1. Click Enabled
  2. Enter Profile Name
  3. Select sha1 for Auth. Algorithms
  4. Select des, 3des, aes-128 cbc, aes-192 cbc, aes-256 cbc for Encr. Algorithms
  5. Select modp 1024 for PFS Group
  6. Click OK
a screenshot of Mikrotik Router

2. Go to IP >> IPsec >> Policies

  1. Create a file and click Enabled
  2. Enter the Mikrotik Router LAN Network for Src. Address
  3. Enter the DrayTek Router LAN Network for Dst. Address
  4. Select encrypt for Action
  5. Select esp for IPsec Protocols
  6. Select the proposal you just set up at the Step 1
  7. Click OK
a screenshot of Mikrotik Router a screenshot of Mikrotik Router />
<p>3. Go to <strong>IP >> IPsec >> Profiles</strong></p>
<ol style=
  • Enter the profile name
  • Select sha1 for Hash Algorithm
  • Select 3des, aes-128, aes-192, aes-256 for Encryption Algorithm
  • Select modp1024 for DH Group
  • Select obey for Proposal Check
  • Enable NAT Traversal
  • Click OK
  • a screenshot of Mikrotik Router

    4. Go to IP >> IPsec >> Peers

    1. Click Enabled
    2. Enter your profile Name
    3. Enter Mikrotik Router WAN IP for Local Address
    4. Select the Profile you set up at Step 3
    5. Select main for Exchange Mode
    6. Enable Passive
    7. Enable SEND INITIAL_CONTACT
    8. Click OK
    a screenshot of Mikrotik Router

    5. Go to IP >> IPsec >> Identities

    1. Click Enabled
    2. Select the Peer you set up at Step 4
    3. Select pre shared key for Auth. Method
    4. Enter your password of pre-shared key for Secret
    5. Select remote id for Match By
    6. Select port override for Generate Policy
    7. Click OK
    a screenshot of Mikrotik Router

    6. Go to IP >> Firewall >> Filter Rules

    Rule 1:

    1. Click Enabled
    2. Select forward
    3. Enter Draytek Router LAN Network for Src. Address
    4. Enter Mikrotik Router LAN Network for Dst. Address
    5. Select established, related for Connection State
    6. Select accept for Action
    7. Click OK
    a screenshot of Mikrotik Router

    Rule 2:

    1. Click Enabled
    2. Select forward
    3. Enter Mikrotik Router LAN Network for Src. Address
    4. Enter Draytek Router LAN Network for Dst. Address
    5. Select established, related for Connection State
    6. Select accept for Action
    7. Click OK
    a screenshot of Mikrotik Router

    Draytek Router Configuration

    1. Go to VPN and Remote Access >> LAN to LAN, and select any available Index.

    a screenshot of DrayOS IPsec LAN to LAN

    2. In profile Index,

    Common Settings

    1. Enter your profile Name
    2. Enable this profile
    3. Select your WAN interface to dial out VPN
    4. Select Dial-out
    5. (optional) Enable Always on
    a screenshot of DrayOS IPsec Remote DrayOS IPsec LAN to LAN

    Dial-Out Settings

    1. Select IPsec Tunnel and IKEv1
    2. Enter the Mikrotik Router WAN IP or Host Name for Server IP
    3. Enter the pre-shared key you set on Mikrotik Router.
    4. Click Advanced
    5. Select Main mode
    6. Select AES128 for phase 1 proposal Encryption
    7. Select G2 for phase 1 proposal ECDH Group
    8. Select SHA1 for phase 1 proposal Authentication
    9. Select AES128_SHA1 for phase 2 proposal
    10. Set 86400 seconds as phase 1 key lifetime (due to Mikrotik site set it as 1 day)
    11. Set 2700 seconds as phase 2 key lifetime (due to Mikrotik site set it as 45 minutes)
    12. Enable Perfect Forward Secret
    13. Click OK
    a screenshot of DrayOS IPsec DrayOS IPsec LAN to LAN

    TCP/IP Network Settings

    1. Enter the Mikrotik Router LAN Network for Remote Network IP
    2. Enter the Draytek Router LAN Network for Remote Network IP
    3. Select Route
    4. Click OK
    a screenshot of DrayOS IPsec Remote DrayOS IPsec LAN to LAN

    3. Click Dial and the VPN will be connected.

    a screenshot of DrayOS IPsec Remote VPN

    Published On: Jul 29, 2020 

    Was this helpful?     


    Related Articles