IPSec Between OPNSense and Mikrotik

This time it was from Mikrotik at one end to OPNsense at the other.

Here’s a diagram of the layout. A /16 at each house, connected over the internet.

+---------------+   +---------+   +----------+   +---------+   +---------------+
| Local Network +---+ House 1 +---+ Internet |   | House 2 |   | Local Network |
|   |   | |   |          +---+ +---+   |
+---------------+   +---------+   +----------+   +---------+   +---------------+
  OPNSense                                         Mikrotik

Configuring OPNsense

There’s a few steps to this one.

Phase 1

This is the authentication stage for working out how to talk to each other.

  1. VPN -> IPSEC -> Tunnel settings
  2. Create a new config
  3. General information
  1. Connection method: default
  2. Key Exchange Version: v2
  3. Internet Protocol: v4 (depending on what connectivity you have)
  4. Interface: WAN (your external interface)
  5. Remote gateway:
  1. Phase 1 proposal (Authentication)
  1. Authentication method: Mutual PSK
  2. My identifier: IP Address (
  3. Peer identifier: IP Address (
  4. Pre-shared key:
  1. Phase 1 proposal (Algorithms)
  1. Encryption algorithm: AES (256)
  2. Hash algorithm: SHA256
  3. DH key group: 14 (2048 bits)
  4. Lifetime 28800
  1. Advanced options
  1. NAT Traversal: disabled
  2. Install policy: ticked
  3. Dead peer detection: Enabled (10 seconds delay, 5 retries, restart the tunnel)
  4. Everything else: disabled
  1. Hit save

Phase 2

This is the actual “traffic encryption” stage. From the Tunnel settings page, next to the newly created phase 1 configuration, there should be a button to add a phase 2 entry. Click that.

  1. Mode: Tunnel IPv4
  2. Local Network
    • Type: Network
    • Address:
  3. Remote Network
    • Type: Network
    • Address
  4. Phase 2 Proposal (SA/Key exchange)
    • Protocol: ESP
    • Encryption Algorithms
      • AES (256 bits in the dropdown)
    • Hash algorithms: SHA256
    • PFS key group: 14 (2048 bits)
    • Lifetime: 28800 seconds (8 hours)

Hit save

Other bits

Make sure you tick “Enable IPsec” on the tunnel config screen and ensure you hit apply, otherwise it won’t start the tunnels…

Sometimes it’ll make the right firewall rules, but double check your WAN interface actually has a rule that lets ESP traffic from on UDP/500 and ESP.

You’ll need to configure appropriate firewall rules for traffic traversing the IPsec link in the “ipsec” firewall rules section. You can be lazy and just any/any/any it, or make more specific ones.

In summary, the NAT device will use the following ports with NAT Traversal is enabled:

  • Encapsulated Security Protocol (ESP): IP Protocol 50;  UDP port 4500
  • Authentication Header (AH): IP Protocol 51 ; UDP port 4500
  • ISAKMP IKE Negotiations UDP port 500 -> UDP port 4500

Configuring the Mikrotik

Here’s the config from the Mikrotik, suffice it to say there was a lot of clicking and swearing and trying to edit things in the console to make this work. You should be able to copy, edit and update this to suit your needs.

You’ll need to create the firewall rules to allow the traffic. Note that this connection uses ether1 so your in-interface may differ.

/ip firewall filter
add action=accept chain=forward dst-address= dst-port=500 in-interface=ether1 protocol=udp src-address=
add action=accept chain=forward dst-address= in-interface=ether1 protocol=ipsec-esp src-address=

And here’s the config for the IPSEC side of things:

/ip ipsec profile 
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h nat-traversal=no proposal-check=strict

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=8h pfs-group=modp2048

/ip ipsec peer
add name="peer" address= local-address= port=500 profile=default exchange-mode=ike2 send-initial-contact=yes

add peer=peer auth-method=pre-shared-key secret="superlongpasswordhere" generate-policy=port-strict

add dst-address= sa-dst-address= sa-src-address= src-address= tunnel=yes peer=peer

Leave a Reply

Your email address will not be published. Required fields are marked *