Setup IPsec Site-to-Site VPN di MikroTik RouterOS 7

Site-to-site VPN menghubungkan dua jaringan private yang berbeda lokasi melalui internet secara aman menggunakan enkripsi. Di tutorial ini kita akan setup IPsec IKEv2 dengan Pre-Shared Key (PSK) di MikroTik RouterOS 7.

Topologi

[Site A: 10.100.0.0/16] --- [MikroTik A] === IPsec Tunnel === [MikroTik B] --- [Site B: 10.200.0.0/16]
     192.168.1.0/24          (Public IP A)                    (Public IP B)      172.16.0.0/24

Keterangan:

Site A (kita): Subnet 10.100.0.0/16, MikroTik sebagai gateway
Site B (remote): Subnet 10.200.0.0/16, router/firewall di sisi customer
Kedua sisi terhubung via internet menggunakan IPsec tunnel

Yang Perlu Disiapkan

Sebelum mulai, kedua sisi perlu tukeran informasi:

Parameter	Site A (Kita)	Site B (Customer)
Public IP	IP publik router A	IP publik router B
Local Subnet	10.100.0.0/16	10.200.0.0/16
Pre-Shared Key	Disepakati bersama	Sama persis
IKE Version	IKEv2	IKEv2
Encryption	AES-256	AES-256
Hash	SHA-256	SHA-256
DH Group	modp2048 (Group 14)	modp2048

Step 1: Siapkan Interface & Subnet

Jika server/device customer terhubung ke port ethernet dedicated di MikroTik, pisahkan port tersebut dari bridge utama dan beri IP sebagai gateway subnet dedicated.

# Hapus port dari bridge (jika sebelumnya di bridge)
/interface bridge port remove [find where interface=ether4]

# Beri IP gateway di port dedicated
/ip address add address=10.100.0.1/16 interface=ether4 comment="VPN dedicated subnet"

Server customer yang terhubung ke ether4 bisa dikasih IP static, misalnya 10.100.0.2/16.

Step 2: Buat IPsec Profile (Phase 1 / IKE)

Profile mengatur parameter untuk IKE negotiation (Phase 1):

/ip ipsec profile add     name=vpn-customer-profile     dh-group=modp2048     enc-algorithm=aes-256     hash-algorithm=sha256     lifetime=1d     nat-traversal=yes     dpd-interval=8s     dpd-maximum-failures=4

Penjelasan:

dh-group=modp2048 — Diffie-Hellman Group 14 (2048-bit), standar keamanan yang baik
enc-algorithm=aes-256 — Enkripsi AES 256-bit
hash-algorithm=sha256 — Hashing SHA-256 untuk integrity check
lifetime=1d — IKE SA berlaku 1 hari, setelah itu renegosiasi
nat-traversal=yes — Penting jika salah satu sisi di belakang NAT
dpd-interval=8s — Dead Peer Detection, cek koneksi setiap 8 detik

Step 3: Buat IPsec Proposal (Phase 2 / SA)

Proposal mengatur parameter untuk data encryption (Phase 2):

/ip ipsec proposal add     name=vpn-customer-proposal     auth-algorithms=sha256     enc-algorithms=aes-256-cbc     lifetime=8h     pfs-group=modp2048

Penjelasan:

lifetime=8h — Security Association berlaku 8 jam
pfs-group=modp2048 — Perfect Forward Secrecy, setiap SA baru punya key sendiri

Step 4: Buat Peer

Peer adalah remote router yang akan kita hubungi:

/ip ipsec peer add     name=vpn-customer-peer     address=203.0.113.50/32     local-address=198.51.100.10     profile=vpn-customer-profile     exchange-mode=ike2

Penjelasan:

address — IP publik router customer
local-address — IP publik router kita
exchange-mode=ike2 — Gunakan IKEv2 (lebih aman dan efisien dari IKEv1)

Step 5: Buat Identity (Pre-Shared Key)

Identity berisi authentication method dan secret:

/ip ipsec identity add     peer=vpn-customer-peer     auth-method=pre-shared-key     secret="GantiDenganPassphraseYangKuat123!"

Penting: Passphrase harus sama persis di kedua sisi. Gunakan passphrase yang panjang dan kompleks. Jangan share via channel yang tidak aman.

Step 6: Buat Policy (Traffic Selector)

Policy menentukan traffic mana yang akan dienkripsi melalui tunnel:

/ip ipsec policy add     peer=vpn-customer-peer     src-address=10.100.0.0/16     dst-address=10.200.0.0/16     tunnel=yes     sa-src-address=198.51.100.10     sa-dst-address=203.0.113.50     proposal=vpn-customer-proposal     action=encrypt     level=require     comment="VPN Customer - Site A to Site B"

Penjelasan:

src-address — Subnet lokal kita
dst-address — Subnet remote customer
tunnel=yes — Mode tunnel (enkapsulasi full packet)
sa-src-address / sa-dst-address — IP publik kedua sisi
action=encrypt — Enkripsi traffic yang match
level=require — Wajib enkripsi, drop jika SA tidak tersedia

Step 7: Firewall Rules

Input Chain — Allow IPsec Traffic

Tambahkan sebelum rule drop di input chain:

# IKE (Internet Key Exchange)
/ip firewall filter add     chain=input     protocol=udp     dst-port=500     src-address=203.0.113.50     action=accept     comment="Allow IKE for VPN Customer"     place-before=[find where chain=input and action=drop]

# NAT Traversal (IKE over NAT)
/ip firewall filter add     chain=input     protocol=udp     dst-port=4500     src-address=203.0.113.50     action=accept     comment="Allow NAT-T for VPN Customer"     place-before=[find where chain=input and action=drop]

# ESP (Encapsulated Security Payload)
/ip firewall filter add     chain=input     protocol=ipsec-esp     src-address=203.0.113.50     action=accept     comment="Allow ESP for VPN Customer"     place-before=[find where chain=input and action=drop]

Forward Chain — Allow VPN Traffic

Tambahkan sebelum rule “drop new from WAN” di forward chain:

# Traffic masuk dari customer ke kita
/ip firewall filter add     chain=forward     src-address=10.200.0.0/16     dst-address=10.100.0.0/16     action=accept     ipsec-policy=in,ipsec     comment="Allow VPN Customer forward in"

# Traffic keluar dari kita ke customer
/ip firewall filter add     chain=forward     src-address=10.100.0.0/16     dst-address=10.200.0.0/16     action=accept     ipsec-policy=out,ipsec     comment="Allow VPN Customer forward out"

Tips: Parameter ipsec-policy=in,ipsec memastikan hanya traffic yang sudah terenkripsi via IPsec yang diterima. Ini mencegah spoofing.

Step 8: NAT Bypass

Penting! Traffic VPN tidak boleh di-masquerade/NAT. Tambahkan rule accept di paling atas NAT chain:

/ip firewall nat add     chain=srcnat     src-address=10.100.0.0/16     dst-address=10.200.0.0/16     action=accept     comment="No NAT for VPN Customer"     place-before=0

Tanpa rule ini, traffic ke customer akan di-NAT dan IPsec policy tidak akan match.

Verifikasi

Cek Status Peer

/ip ipsec active-peers print

Output yang diharapkan:

 # ID      STATE     UPTIME   PH2-TOTAL
 0 xxxxxx  established  1h30m  1

State harus established. Jika tidak muncul, cek:

Apakah customer sudah setup di sisi mereka
Apakah PSK sama persis
Apakah parameter encryption/hash/DH group match

Cek Security Association

/ip ipsec installed-sa print

Harus ada SA entry dengan src/dst address yang benar.

Cek Policy Status

/ip ipsec policy print stats

Kolom ph2-count harus 1 atau lebih jika tunnel aktif.

Test Ping

# Ping dari router ke subnet customer
/ping address=10.200.0.1 src-address=10.100.0.1

Troubleshooting

Tunnel Tidak Connect

Cek firewall — Pastikan UDP 500, 4500, dan ESP tidak di-block
Cek PSK — Harus identik di kedua sisi (case-sensitive)
Cek parameter — Encryption, hash, DH group harus match
Cek IP — Public IP dan subnet harus benar
Enable logging:

/system logging add topics=ipsec action=memory
/log print where topics~"ipsec"

SA Established Tapi Tidak Bisa Ping

Cek NAT bypass — Pastikan rule accept ada di atas masquerade
Cek firewall forward — Pastikan traffic VPN diizinkan
Cek routing — Pastikan ada route ke subnet customer via IPsec
Cek policy — src/dst address harus sesuai dengan traffic yang dikirim

Tunnel Sering Putus

Naikkan dpd-interval jika koneksi tidak stabil
Cek apakah ada IP conflict atau routing loop
Pastikan kedua sisi punya waktu yang sinkron (NTP)

Ringkasan Konfigurasi

# === IPsec Site-to-Site VPN Configuration ===

# Phase 1: IKE Profile
/ip ipsec profile add name=vpn-customer-profile     dh-group=modp2048 enc-algorithm=aes-256     hash-algorithm=sha256 lifetime=1d nat-traversal=yes

# Phase 2: SA Proposal
/ip ipsec proposal add name=vpn-customer-proposal     auth-algorithms=sha256 enc-algorithms=aes-256-cbc     lifetime=8h pfs-group=modp2048

# Peer
/ip ipsec peer add name=vpn-customer-peer     address=REMOTE_PUBLIC_IP/32 local-address=LOCAL_PUBLIC_IP     profile=vpn-customer-profile exchange-mode=ike2

# Identity (PSK)
/ip ipsec identity add peer=vpn-customer-peer     auth-method=pre-shared-key secret="YOUR_STRONG_PASSPHRASE"

# Policy
/ip ipsec policy add peer=vpn-customer-peer     src-address=LOCAL_SUBNET dst-address=REMOTE_SUBNET     tunnel=yes sa-src-address=LOCAL_PUBLIC_IP     sa-dst-address=REMOTE_PUBLIC_IP     proposal=vpn-customer-proposal action=encrypt level=require

# Firewall & NAT
/ip firewall filter add chain=input protocol=udp dst-port=500     src-address=REMOTE_PUBLIC_IP action=accept
/ip firewall filter add chain=input protocol=udp dst-port=4500     src-address=REMOTE_PUBLIC_IP action=accept
/ip firewall filter add chain=input protocol=ipsec-esp     src-address=REMOTE_PUBLIC_IP action=accept
/ip firewall filter add chain=forward src-address=REMOTE_SUBNET     dst-address=LOCAL_SUBNET action=accept ipsec-policy=in,ipsec
/ip firewall filter add chain=forward src-address=LOCAL_SUBNET     dst-address=REMOTE_SUBNET action=accept ipsec-policy=out,ipsec
/ip firewall nat add chain=srcnat src-address=LOCAL_SUBNET     dst-address=REMOTE_SUBNET action=accept place-before=0

Ganti REMOTE_PUBLIC_IP, LOCAL_PUBLIC_IP, LOCAL_SUBNET, REMOTE_SUBNET, dan YOUR_STRONG_PASSPHRASE sesuai kebutuhan.

Kesimpulan

IPsec site-to-site VPN di MikroTik RouterOS 7 cukup straightforward:

Profile — Parameter IKE (Phase 1)
Proposal — Parameter SA (Phase 2)
Peer — Siapa yang kita hubungi
Identity — Bagaimana kita autentikasi (PSK)
Policy — Traffic mana yang dienkripsi
Firewall — Izinkan IPsec traffic
NAT Bypass — Jangan NAT traffic VPN

Pastikan kedua sisi punya parameter yang identik, dan selalu backup konfigurasi sebelum melakukan perubahan.