MikroTik Site to Site IPSec with RSA certificates

Today, I will guide you through the configuration process of a Site to Site IPSec tunnel between two MikroTik routers while using RSA certificates instead commonly used Pre-Shared Keys (PSK).

The advantage is clear – even a weakest certificate is stronger than many PSKs used around. The seed value used for all other computations and crypto-keys is longer and consequently the whole communication is more secure. In addition, when it come to the PSK generation process, many people lost their creativity. Continue reading


How to protect an IP-IP tunnel with IPSec

In this part of the MikroTik IPSec series, I will discuss about how to use IPSec to protect any other MikroTik tunnel without built-in encryption. I will use in this example an IP-IP tunnel as the reference, but you can apply this method to any other type. I already covered L2TP/IPSec PSK tunnels, as they are different in their nature.

Let’s begin! Continue reading

MikroTik Site to Site IPSec when one router has a dynamic WAN IP address

In this part of the MikroTik IPSec series, I will show you how to establish a Site to Site IPSec tunnel between two routers, when one of them has a dynamic WAN IP address.

This scenario is different than other one described in this article where MikroTik is behind another router, as in this case our MikroTik has a WAN port (like a 3G/4G-LTE or cable modem) with the dynamic IP address, plus there’s a good chance that this address is from the ISP’s private IP address pool.

Even better, in this article I will explain you the concept of a Loopback adapter and how you can use it in situations similar to this one. Let’s begin! Continue reading

MikroTik and the Rogue DHCP Server

Every MikroTik device with the DHCP server service can be used to search your network for any rogue DHCP server. Even better, it can send you an email on such detection. When an alert occurred, you will be informed about the MAC address (and a few more details) of that machine.

You can’t use the MikroTik router to actively block such machine. This is the option that should be implemented on your network switches. Continue reading