Before applying this procedure, please update your Mikrotik to the latest RouterOS.

WAN Interface Name has to be: ether1-gateway

Local Interface Name has to be: bridge-local

1. IPSec Configuration

Site A:

/ip ipsec

peer add comment="vpn01" address=127.99.99.99/32 auth-method=pre-shared-key secret=REPLACE_THIS_WI

TH_RANDOM_SECRET dh-group=modp4096 enc-algorithm=aes-256,aes-128 exchange-mode=ike2 hash-algorithm
=sha512

proposal add name="secure-proposal" auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=mo

dp4096

policy add comment="vpn01" dst-address=192.168.10.0/24 src-address=192.168.232.0/24 tunnel=yes pro

posal=secure-proposal sa-dst-address=127.99.99.99 sa-src-address=0.0.0.0

Site B:

/ip ipsec

peer add comment="vpn01" address=127.99.99.99/32 auth-method=pre-shared-key secret=REPLACE_THIS_WI

TH_RANDOM_SECRET dh-group=modp4096 enc-algorithm=aes-256,aes-128 exchange-mode=ike2 hash-algorithm
=sha512

proposal add name="secure-proposal" auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=mo

dp4096

policy add comment="vpn01" dst-address=192.168.232.0/24 src-address=192.168.10.0/24 tunnel=yes pro

posal=secure-proposal sa-dst-address=127.99.99.99 sa-src-address=0.0.0.0

2. Firewall NAT and Traffic Rules

Site A:

/ip firewall

nat add comment="vpn01" action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=192.16

8.232.0/24 place-before=0

nat add comment="vpn01" action=accept chain=dstnat dst-address=192.168.232.0/24 src-address=192.16

8.10.0/24 place-before=0

filter add comment="ipsec-ike-natt" chain=input dst-port=4500 in-interface=ether1-gateway protocol

=udp
filter add comment="vpn01" chain=forward dst-address=192.168.232.0/24 in-interface=ether1-gateway
ipsec-policy=in,ipsec src-address=192.168.10.0/24

Site B:

/ip firewall

nat add comment="vpn01" action=accept chain=srcnat dst-address=192.168.232.0/24 src-address=192.16

8.10.0/24 place-before=0

nat add comment="vpn01" action=accept chain=dstnat dst-address=192.168.10.0/24 src-address=192.16

8.232.0/24 place-before=0

filter add comment="ipsec-ike-natt" chain=input dst-port=4500 in-interface=ether1-gateway protocol

=udp

filter add comment="vpn01" chain=forward dst-address=192.168.10.0/24 in-interface=ether1-gateway i

psec-policy=in,ipsec src-address=192.168.232.0/24

3. Public IP Change Adaption

Needs to be run on both Sites (A & B)

/ip cloud set ddns-enabled=yes update-time=no

4. To check the cloud ddns name

Needs to be run on both Sites (A & B)

/ip cloud print

5. IPSec Remote Address Update Script

0123456789.sn.mynetname.net = use the hostname created by the Cloud DDNS.

Needs to be run on both Sites (A & B) according to their Cloud DDNS names.

/system script add name="ipsec-peer-update-vpn01" policy=read,write source=":local peerid \"vpn

01\"\

\n:local peerhost \"0123456789.sn.mynetname.net\"\

\n:local peerip [:resolve \$peerhost]\

\n:local peeruid\

\n:set peeruid [/ip ipsec peer find comment=\"\$peerid\" and address!=\"\$peerip/32\"]\

 \n:local policyuid\

\n:set policyuid [/ip ipsec policy find comment=\"\$peerid\" and sa-dst-address!=\"\$peerip\

"]\

\n:if (\$peeruid != \"\") do={\

\n /ip ipsec peer set \$peeruid address=\"\$peerip/32\"\

\n :log info \"Script ipsec-peer-update updated peer '\$peerid' with address '\$peerip'\"\

\n}\

\n:if (\$policyuid != \"\") do={\

\n /ip ipsec policy set \$policyuid sa-dst-address=\"\$peerip\"\

\n :log info \"Script ipsec-peer-update updated policy '\$peerid' with address '\$peerip'\"\

\n}"

6. Scheduler to update the DDNS IP of remote peer in VPN

Needs to be run on both Sites (A & B)

/system scheduler

add disabled=yes interval=1m name=ipsec-peer-update-vpn01 on-event="/system script run ipsec-peer-

update-vpn01" policy=read,write

add disabled=yes interval=10m name=ip-cloud-forceupdate on-event="/ip cloud force-update" policy=r

ead,write

7. Netwatch for VPN Monitoring and Route for traffic

Router on Site A:

/ip route add comment="vpn01" distance=1 dst-address=192.168.10.0/24 gateway=bridge-local

/tool netwatch add comment=ipsec-peer-update-vpn01 down-script="/system scheduler enable ipsec-pee

r-update-vpn01\

\n/system scheduler enable ip-cloud-forceupdate" host=192.168.10.20 up-script="/system schedul

er disable ip-cloud-forceupdate\
 \n/system scheduler disable ipsec-peer-update-vpn01"

Router on Site B:

/ip route add comment="vpn01" distance=1 dst-address=192.168.232.0/24 gateway=bridge-local

/tool netwatch add comment=ipsec-peer-update-vpn01 down-script="/system scheduler enable ipsec-pee

r-update-vpn01\

\n/system scheduler enable ip-cloud-forceupdate" host=192.168.232.20 up-script="/system schedu

ler disable ip-cloud-forceupdate\

\n/system scheduler disable ipsec-peer-update-vpn01"