Hey there, network enthusiasts! Are you looking to connect two or more of your MikroTik networks securely? Setting up a MikroTik site-to-site VPN is a fantastic way to do this, enabling secure communication and resource sharing between different locations. This guide will walk you through the process, making it easy for you to get your networks talking to each other. We will be using OSCP (Open Shortest Path First) configuration, which is dynamic routing to provide redundancy and automatic failover, making your network more robust and resilient. We'll be covering all the essential steps, from the initial planning stages to the final configuration and testing of your site-to-site VPN. So, let's dive in and get those networks connected!

Understanding Site-to-Site VPNs and Their Importance

First off, what exactly is a site-to-site VPN, and why should you even bother with one? A site-to-site VPN, in the simplest terms, is a virtual private network that connects two or more networks together. Think of it as a secure tunnel that allows data to travel privately and securely between your different locations, such as offices, data centers, or even your home network. Instead of having separate networks that can't communicate directly, a site-to-site VPN creates a secure link, so the devices on each side can communicate as if they were on the same local network. It is important to note that the site-to-site VPNs are different from the remote-access VPNs, which are used to enable a single user to connect to the network.

Benefits of Site-to-Site VPNs

1. Secure Communication: All data transmitted through the VPN tunnel is encrypted, protecting sensitive information from eavesdropping and unauthorized access. This is essential for businesses that handle confidential data. This adds an extra layer of protection, which is very important in today's digital world.
2. Resource Sharing: Site-to-site VPNs allow users in different locations to access shared resources like file servers, printers, and applications as if they were on the same local network. This greatly increases productivity and efficiency.
3. Cost Savings: Using a site-to-site VPN can be more cost-effective than dedicated leased lines or other expensive connectivity solutions, especially when connecting multiple locations.
4. Centralized Management: Once the VPN is set up, you can manage your entire network from a central location, making it easier to monitor and troubleshoot issues.
5. Flexibility and Scalability: Site-to-site VPNs can be easily scaled to accommodate the addition of new locations or increased bandwidth requirements. The dynamic routing provided by OSCP makes this scalability a breeze.

Now that you know what a site-to-site VPN is and why it's so important, let's get into the nitty-gritty of setting one up with MikroTik routers. We will focus on the OSCP configuration, and that is where the magic happens!

Prerequisites: What You'll Need

Before you start, make sure you have the following in place:

1. MikroTik Routers: You'll need at least two MikroTik routers, one for each site you want to connect. The models don't have to be the same, but they should be running a recent version of RouterOS. In most cases, it is preferable to use the same models to eliminate compatibility problems.
2. Public IP Addresses: Each site must have a public IP address or a static IP address assigned to its WAN (Internet-facing) interface. This is how the routers will find each other on the internet. You will probably need to contact your ISP (Internet Service Provider) to find out your public IP address.
3. Internet Connectivity: Each site needs a stable internet connection. The speed of the connection will determine the overall performance of the VPN.
4. Network Planning: Plan your network addressing scheme. You'll need to decide on the IP address ranges for each site. Ensure the IP address ranges do not overlap. If they do, the configuration won't work. The subnet mask should be considered as well.
5. RouterOS Familiarity: You should be comfortable navigating the MikroTik RouterOS interface, whether you prefer using Winbox, the web interface (WebFig), or the command-line interface (CLI). No need to be a pro, but some basic experience will help.
6. Security Considerations: Decide on your encryption protocols and pre-shared key. The settings need to be the same for all routers in your VPN configuration. It is always a good idea to rotate your pre-shared key regularly for enhanced security.

Once you have everything ready, you are good to go! Let's begin the exciting part: Configuration!

Configuring the Site-to-Site VPN

This section will give you a step-by-step guide to configuring your site-to-site VPN using IPsec (Internet Protocol Security) and OSCP on your MikroTik routers. We will be using the command line for the configuration, as this gives us more flexibility. Remember, you can perform the same settings in Winbox, but the command line gives you more control and is helpful for scripting.

Step 1: Configuring IPsec

IPsec is the backbone of our secure VPN tunnel. We'll set up the IPsec policies and proposals to encrypt and protect your data. First, log into your MikroTik router (Router A) using Winbox or SSH.

1. IPsec Proposal: Create an IPsec proposal. This defines the encryption and authentication algorithms to use. It must be identical on both routers. Go to IP > IPsec > Proposals and add a new proposal. The proposal settings should look something like this:

   • Name: my-ipsec-proposal
   • Auth. Algorithms: sha256
   • Enc. Algorithms: aes-256-cbc
   • Lifetime: 3600s (or your preferred value)

2. IPsec Peer: Next, create an IPsec peer. This defines the remote router's IP address and the pre-shared key. Go to IP > IPsec > Peers and add a new peer. Configure these settings:

   • Address: The public IP address of Router B.
   • Secret: The pre-shared key (a strong, unique password).
   • Exchange Mode: Main, Aggressive
   • My ID: asn1dn (or any other appropriate identifier)
   • Peer ID: asn1dn (or any other appropriate identifier)
   • Proposal: Select the proposal you created earlier (my-ipsec-proposal).

3. IPsec Policy: Now, create an IPsec policy to define what traffic will be encrypted. Go to IP > IPsec > Policies and add a new policy. You can choose to encrypt all traffic or only specific subnets. If you want to encrypt all traffic between the two sites, you can use these settings:

   • Src. Address: 192.168.1.0/24 (Router A's LAN network).
   • Dst. Address: 192.168.2.0/24 (Router B's LAN network).
   • Protocol: all
   • Action: encrypt
   • Level: require
   • IPsec Protocols: esp
   • Proposal: Select the proposal you created earlier (my-ipsec-proposal).

Repeat these steps on Router B, but remember to swap the source and destination IP addresses, and the peers' public IP addresses, and configure the same encryption and authentication algorithms.

Step 2: Configuring OSCP

OSCP will dynamically manage the routing between the two sites. This way, if one of your sites goes down, the other will continue to function. It will automatically find the best path for your data. First, log into your MikroTik router (Router A).

1. OSCP Instance: Create an OSCP instance. Go to Routing > OSCP > Instances and add a new instance. Here's a basic configuration:

   • Name: default
   • Router ID: The router's IP address.

2. OSCP Interface: Add the VPN tunnel interface to OSCP. Go to Routing > OSCP > Interfaces and add the VPN interface that was created by the IPsec configuration in the previous step (e.g., ipsec1). Enable enabled. This will allow OSCP to exchange routing information across the tunnel.

3. OSCP Area: Define the area for OSCP. Go to Routing > OSCP > Areas and add a new area. Basic configuration:

   • Name: backbone

4. OSCP Network: Add the local network to OSCP. Go to Routing > OSCP > Networks and add a new network. In the Network field, specify your local network (e.g., 192.168.1.0/24). In the Area field, specify the area you created earlier (backbone).

Repeat these steps on Router B, but ensure you replace the IP addresses with the correct ones for Router B's network.

Step 3: Configuring the Firewall

Firewall rules are essential for security. We will allow the IPsec and OSCP traffic. You will need to add firewall rules on both routers.

1. IPsec Traffic: Create firewall rules to allow IPsec traffic. Go to IP > Firewall > Filter Rules and add the following rules:

   • Action: accept

     | Read Also : ITV Timor-Leste: Everything You Need To Know

   • Chain: input

   • Protocol: esp

   • In. Interface: ether1 (or your WAN interface)

   • Action: accept

   • Chain: input

   • Protocol: udp

   • Dst. Port: 500

   • In. Interface: ether1 (or your WAN interface)

   • Action: accept

   • Chain: input

   • Protocol: udp

   • Dst. Port: 4500

   • In. Interface: ether1 (or your WAN interface)

2. OSCP Traffic: Create firewall rules to allow OSCP traffic. Go to IP > Firewall > Filter Rules and add the following rule:

   • Action: accept
   • Chain: input
   • Protocol: ospf
   • In. Interface: ipsec1 (or the IPsec tunnel interface)

Step 4: Testing Your Configuration

Once you have configured everything, it's time to test your VPN connection. Here is how:

1. Ping Test: Try to ping a device on Router B's network from a device on Router A's network (and vice versa). For example, from Router A's network, try to ping the IP address of a device on Router B's LAN (e.g., ping 192.168.2.100).
2. Traceroute Test: Use the traceroute command to trace the route your packets take. This will show you if the traffic is going through the VPN tunnel. Open the terminal and type traceroute 192.168.2.100.
3. Traffic Monitoring: Use the MikroTik traffic monitor to see the traffic going through the VPN. Go to Tools > Torch and select the VPN interface to monitor the traffic.

If the ping and traceroute tests are successful, and you see traffic in the traffic monitor, your site-to-site VPN is up and running!

Advanced Configurations and Troubleshooting Tips

Now that you have a working site-to-site VPN, let's explore some advanced configurations and troubleshoot common problems. After all, the best configuration is the one that's designed for your needs.

Advanced Configurations

1. Multiple Subnets: If you have multiple subnets at each site, you can configure your IPsec policies to include those subnets. Just add additional source and destination address pairs in your IPsec policies.
2. Dynamic DNS: If you have a dynamic IP address, you can use dynamic DNS to update the remote peer's address automatically. Configure the DDNS service in IP > Cloud and use the dynamic hostname in the IPsec peer configuration.
3. High Availability: To increase redundancy, you can configure multiple VPN tunnels to the same remote site, or implement a failover mechanism. The OSCP dynamic routing can help with this.
4. Monitoring: Use the MikroTik monitoring tools (like The Dude) to monitor your VPN connection's status and performance. This will help you quickly identify and resolve any issues.

Troubleshooting Tips

Here are some common problems you might encounter:

1. Connectivity Issues: If you can't ping devices across the VPN, check the following:
   • Make sure the IP addresses are correct and that the subnets do not overlap.
   • Verify the pre-shared key on both routers.
   • Check your firewall rules to make sure they allow IPsec and OSCP traffic.
   • Make sure IPsec is enabled on both routers.
2. Slow Speeds: If your VPN is slow, check the following:
   • Make sure your internet connections are performing adequately.
   • Check the CPU usage on your routers. Encryption and decryption can be CPU-intensive.
   • Try different encryption algorithms (e.g., AES-128 instead of AES-256) to reduce CPU load.
3. OSCP Routing Issues: If OSCP is not working correctly:
   • Verify that OSCP is enabled on both routers.
   • Check that the networks are correctly advertised in the OSCP configuration.
   • Make sure the IPsec tunnel interface is added to OSCP.

Conclusion: Your Secure Network is Ready!

There you have it! You've successfully configured a secure site-to-site VPN with your MikroTik routers using IPsec and OSCP. By following this guide, you should be able to connect your networks securely and share resources with ease. If you encounter any problems, review the troubleshooting tips above, and don't hesitate to consult the MikroTik documentation or online forums for more assistance. Congratulations! Now enjoy the benefits of a secure and interconnected network. Feel free to experiment with different configurations, and customize it to suit your specific needs. Happy networking, guys!