Skip to content
Oct 12 / Greg

Mikrotik Video Tutorial – Creating an IPSEC LAN to LAN Tunnel

So you have multiple sites that all have internet connections. You want to securely connect the internal subnets together…how would one accomplish this? You would use an IPSEC tunnel. Imagine it as a nice secure pipe that connects one site to the other. This tutorial will show you just how this configuration is accomplished. Use the below diagram as a reference to the video.

Lan to Lan Diagram...that rhymes ;)

Lan to Lan Diagram...that rhymes πŸ˜‰

Click the link below to see the VIDEO!

NOTE: Don’t use NAT-T with the Mikrotiks unless you absolutely have to…this command seems to be somewhat buggy.

When terminating tunnels to Linksys RV042s, set your peer to aggressive mode.


leave a comment
  1. Greg / Feb 25 2011

    VRRP is useful if you have redundant connections from a provider. If you have multiple providers, BGP will always be your best bet.

  2. IceMonk / Mar 31 2011

    Cool presentation and couldn’t be simpler.
    Tnx for xplaining in simple format πŸ™‚

  3. omid khaghani / Jul 23 2011

    Tnx; vrey good πŸ™‚

  4. kara / Aug 10 2011

    Working ok, thank you! Nice tutorial, easy to set-up an IPSec after this.

    One thing though, sometimes the tunnel is dropped at one end, and when I check the IP -> IPsec, the Policies tab, the line with Src. address, Dst address is red!

    I have to enable and disable this rule, then the tunnel goes up again! Why is this happening?

  5. Greg / Aug 10 2011

    Sounds like a bug. What version of code are you running?

  6. kara / Aug 11 2011

    Hello Greg, I am running MikroTik RouterOS 5.2, on a RouterBoard 750GL. The same on both ends!

    Thanks for the quick answer!

  7. Greg / Aug 11 2011

    Upgrade to 5.6 and test…you would be surprised how often that works.

  8. kara / Aug 11 2011


    OK, I will upgrade, because I have another problem now.

    When I copy big files over the network, between locations, I get a network not found error. The same happens on FTP protocol between locations, copies 2MB, then stuck! πŸ™ In IPSec, I see a lot of Installed SAS, ping works, but big file transfer between both ends fails!

    PS: Can I update online, without loosing settings? Because the router now is not at my office.

  9. Greg / Aug 11 2011

    You can indeed.

  10. Robert / Sep 6 2011

    Great job in making it simple and saving me a lot of time!

    Thanks for you help.

  11. Alireza / Sep 29 2011

    i have a problem in my one of site,
    i have 2 mikrotik RB450g. i configurd IPsec but the problem is dynip in one of our site when the ip is changed i need to change ip in my IP sec configuration,
    i have registered my ip in as a address so how can i make script to solve this issue.

    mikro A) static IP
    mikro B)

  12. Greg / Oct 6 2011

    Check out the wiki.

  13. Chris Nicholson / Jan 5 2012

    Your videos are so helpful thank you so much. I am getting better with RouterOS. Every time I Google a question… I get sent back here.

  14. Greg / Jan 5 2012

    Always happy to help when I can πŸ™‚

  15. Sam / Jan 31 2012

    This is absolutely fantastic, Thank you very much. it was really helpful.

  16. Iqbal / Feb 14 2012

    Great Video Thnx Gregso for this video ^-^

  17. Sam / Feb 14 2012

    What’s wrong with IPSEC? it 10 times slow down the connection? I was playing arround with MTU, MRU, Encryption methods, …
    but nothing helped. it is really disturbing…
    Help please.

  18. Greg / Feb 23 2012

    Try switching to MD5 in your IKE

  19. Greek Latinos / May 4 2012

    Thanks a lot! It’s a very helpfull note!

  20. Greek Latinos / May 4 2012


    Mikrotik’s Wiki says about some troubles with different clocks:

  21. clarkstyx / Jun 30 2012

    hi, can you post a tuorial on connecting mikrotik and sonicwall thru ipsec vpn with dynamic ip on both sides?

  22. Greg / Jul 2 2012

    I don’t currently have a sonic wall to use, sorry.

  23. Harris / Nov 8 2012

    SoWell Done !!

    Thanks for your time and help. Would this work if both sites have dyndns running can the ip be replaced with

  24. Mahmoud / Nov 27 2012

    Hello Gerg,

    good video,

    now i have one case i need to solve,

    i have cisco RV042 and RVS4000, now if am at RVS network i can start ping to RV042 network any time but if am at RV042 network i can’t start ping untill ping start from the other network start first.

    now if i used Mikrotik RB750 GL to Mikrotik RB750GL, will it solve the proble or not.


  25. Greg / Nov 27 2012

    It should repair the issue, but if there is something inbetween that is causing issues that will persist.

  26. Greg / Nov 27 2012

    HA. It should work via dynamic on both sides if you have dynamic script running on each end.

  27. Tomas / Jan 10 2013

    I would like to thank a lot for this tutorial, starting from NAT firewall is the way to go, not like in Mikrotik website …

    Many Thanks,

  28. Don / Feb 28 2013

    Thank you so much for this wonderful yet simple tutorial. Greatly appreciated.

  29. Matt / Apr 10 2013


    Nice tut, Monowall -> RB2011 up first time thanks again !

  30. Uffe / Apr 18 2013

    Thanks a lot! Had problems getting it to work, and your little movie pointed me to the solution to my problems! I hade put the lan-ip where the public ip should go in one of the configurations (peer I think it was). This helped me get it to work, and I just had to say a BIG THANKS! πŸ˜€

  31. Greg / Apr 18 2013

    Always happy to help

  32. Azot / May 17 2013

    Thank you Greg.

  33. Deepesh / Jun 21 2013

    Crystal clear Instructions.

    Thank you.


  34. Jerry Roy / Jun 25 2013

    Greg, I have hundreds of site2site VPN working between a Juniper head end and MT750s and it works well in aggressive mode. I created a loopback address and we monitor the MT with a monitoring tool for up down status on the loopback interface. All locations have a unique Lan subnet but now I want to set the IP’s on the LAN’s of all MT750s to be the same subnet Example (all sites so the only IP’s we would have to worry about being incorrect would be the loopback and the WAN. Any ideas on how to do this?

  35. Greg / Jun 25 2013


    I suppose you could change the LAN subnets to and have all traffic NAT to the loopback IP. You wouldn’t be able to individually access clients on the 192.168.1.X subnet, but as long as that isn’t a necessity, it should work.

  36. Ganesh Varma / Oct 9 2015

    Tnx ….It’s very cool video

  37. jay thompson / Nov 10 2015

    I can ping the far end router at from the near end, but I can’t ping a PC at

    Are your examples invalid for those of us who are required to use a comb in our daily grooming routine?

  38. Greg / Nov 10 2015

    @Jay, bald is beautiful hehehe.
    I would check any natting or firewall rules at the far side…make sure you aren’t breaking it on the return.

  39. jay thompson / Nov 10 2015

    >>make sure you aren’t breaking it on the return.

    I bet that’s it, will try as soon as I’m done with ebay bidding on your hair brush collection.

  40. Greg / Nov 10 2015

    @Jay, I prefer a pic for my afro.

  41. Michael Switzer / Sep 22 2016

    Thank you so much for this post. We swapped out a monowall with new Mikrotik and was having difficulties connecting to the previously defined ipsec tunnel.
    It turns out that the phase2 settings under proposals needed to be tweaked a little bit.

    Anyways, thank you for taking the time to post this- it helped a lot

  42. Greg / Sep 23 2016

    @Michael – Many thanks sir. Always happy to help πŸ™‚

Leave a Comment