Mikrotik Setup VPN LAN2LAN

For Several companies that I’m administrate their networks – I’ve chosen mikrotik as the default Router – mainly since its working smoothly and have fantastic options in their RouterOS.

To protect and serve the Headquarters – I’ve chosen the Mikrotik CCR-1009-8G-1S-1S+PS which is a cloudcore Router and on the small offices I’ve chosen the

After installing these Routers with the latest software – and get them up and running on each location(Offices) before configuring the VPN tunnels between the Offices. For a better overview – here’s the networks setup:

  • HQ – Internal network – public IP
  • 1. Office Internal Nework – public IP
  • 2. Office Internal Network – public IP

These information are quite inportant when creating the VPN rules and configuration as shown on this picture: 

When all the 3 Routers are online, then the configuration of the VPN can begin. The best tool for configuration and normal use of the Mikrotik – is the Winbox which mikrotik provides here: Winbox 3.11

Now you shold be able to login to all three routers through your Winbox program. 

Start on HQ Router ( but the same steps on each Mikrotik Router) go to Ip / IPsec.
Go to page Peers and create the Peers for Office 1 & 2. Only shown for Office1

The secret is your private VPNpassword – so remember this and make it strong.
Create the same Peer for Office2 only with the rigth IP address.
The next is to make the Policies for each Peer defining the local and Public IP:

Again make a Policy for each Peers – tha last thing on this to create in IPsec – is the proposal:

So now you should have the following setting:

  • HQ – 2 Peers to Office1 & 2
  • Office 1 – Peer to HQ
  • Office 2 – Peer to HQ

Then all offices are connected back to HQ where all servers etc are placed. The last thing required is the firewall rules which allows the traffic to pass as on a local network.

Go to IP / Firewall and create a new Filter rules on HQ Router for accessing from Subnet for Office1.
Create allso a Filter rule for Office 2 on HQ Router – Create only from office to HQ on Office’s Router.

The last thing missing now is a NAT rule on HQ for each Peer:

And on each Office Router – you create a NAT rule towards the HQ.

Thats it – now you’ll have a VPN running between the Offices. Many other settings are available through DNS Setup etc. But you’ll be able to ping IP addresses on the FULL network on each location.

Have Fun.