RouterOS Site to Site IPSec VPN

Create IPSec

Peer

/ip/ipsec/peer/add name="$peer_name" address=$peer_address profile=$profile_name exchange-mode=ike2 send-initial-contact=yes

Identity

/ip/ipsec/identity/add peer=$peer_name auth-method=pre-shared-key secret="$secret" generate-policy=no policy-template-group=$policy_name

Proposal

/ip/ipsec/proposal/add name="$proposal_name" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp2048

Profile

/ip/ipsec/profile/add name="$profile_name" hash-algorithm=sha256 prf-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

Policy

/ip/ipsec/policy/add peer=$peer_name tunnel=yes src-address=$local_subnet src-port=any dst-address=$remote_subnet dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=0.0.0.0 sa-dst-address=$dest_addr proposal=$proposal_name priority=0x20000 ph2-count=1 ph2-state=no-phase2

Create Firewall NAT Rule

/ip/firewall/nat/add chain=srcnat action=accept src-address=$local_subnet dst-address=$remote_subnet log=no log-prefix="" place-before=0

~WIP~ Dynamic IPSec IPv4 or IPv6 Address

Script

:global ip [:resolve myip.opendns.com server=208.67.222.222];
put $ip

Pre-deployment

scp dynamic_ipsec_script.sh $user@hostname

DNS Server

$hostname A $IPv4|$IPv6