Here is how to establish an IPsec tunnel between an Ubuntu 20.04 host and a Mikrotik router using IKEv2. The 2 endpoints of the tunnel are:

  • ubuntu.xentoo.info : the Ubuntu server. This server has a local private subnet 10.0.0.0/24 and a fixed public IPv4 address 1.2.3.4 . The hostname ubuntu.xentoo.info resolves to the public IP address.
  • mikrotik.xentoo.info : the Mikrotik router. This router has a local private subnet 192.168.0.0/24 and a dynamic public IPv4 address.

I will use fqdn identifiers, pre-shared-key and both IKE and ESP will have the same parameters:

  • encryption: AES256
  • integrity: SHA256
  • Diffie-Hellman group: ECP384

Let’s first configure the Mikrotik router. Go straight into the configuration of IPSEC tunnels:

/ip ipsec profile
add dh-group=ecp384 dpd-interval=10s enc-algorithm=aes-256 hash-algorithm=sha256 name=ubuntu.xentoo.info <
    nat-traversal=no
/ip ipsec peer
add address=ubuntu.xentoo.info exchange-mode=ike2 name=ubuntu.xentoo.info profile=ubuntu.xentoo.info
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr name=ubuntu.xentoo.info pfs-group=ecp384
/ip ipsec identity
add my-id=fqdn:mikrotik.xentoo.info peer=ubuntu.xentoo.info remote-id=ubuntu.xentoo.info secret=mysecretkey
/ip ipsec policy
add dst-address=10.0.0.0/24 peer=ubuntu.xentoo.info proposal=ubuntu.xentoo.info sa-dst-address=1.2.3.4 \
    sa-src-address=0.0.0.0 src-address=192.168.0.0/24 tunnel=yes 

On Ubuntu side, first install the package:

apt-get install strongswan 

The tunnels are configured in /etc/ipsec.conf . There are 2 members in a connection: a left one and a right one. I always use the left one for the local host and the right one for the remote host. I name the connection using the remote host name. Since the Mikrotik router has a dynamic public IP address, its IP address is configured with %any. The configuration for this tunnel is the following:

conn mikrotik.xentoo.info
    leftsubnet=10.0.0.0/24
    left=1.2.3.4
    leftid=fqdn:ubuntu.xentoo.info
    rightsubnet=192.168.0.0/24
    right=%any
    rightid=fqdn:mikrotik.xentoo.info
    authby=psk
    auto=start
    ike=aes256-sha256-ecp384
    keyexchange=ikev2
    esp=aes256-sha256-ecp384
    type=tunnel 

The secret keys are stored in /etc/ipsec.secrets . Each line is a different secret. The syntax I use is leftid rightid : PSK "psk" .

fqdn:ubuntu.xentoo.info fqdn:mikrotik.xentoo.info : PSK "mysecretkey" 

Restart IPSEC service to apply the changes:

systemctl restart ipsec 

After you restart the service, you should see the following in /var/log/syslog:

Mar  6 11:35:51 ubuntu charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar  6 11:35:51 ubuntu charon: 00[CFG]   loaded IKE secret for fqdn:ubuntu.xentoo.info fqdn:mikrotik.xentoo.info
...
Mar  6 11:35:51 ubuntu charon: 05[CFG] added configuration 'mikrotik.xentoo.info'
Mar  6 11:35:57 ubuntu charon: 09[NET] received packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (208 bytes)
Mar  6 11:35:57 ubuntu charon: 09[ENC] parsed IKE_SA_INIT request 0 [ No KE SA ]
Mar  6 11:35:57 ubuntu charon: 09[IKE] 6.7.8.9 is initiating an IKE_SA
Mar  6 11:35:57 ubuntu charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Mar  6 11:35:57 ubuntu charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(CHDLESS_SUP) N(MULT_AUTH) ]
Mar  6 11:35:57 ubuntu charon: 09[NET] sending packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (232 bytes)
Mar  6 11:35:57 ubuntu charon: 10[NET] received packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (448 bytes)
Mar  6 11:35:57 ubuntu charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi AUTH IDr N(INIT_CONTACT) SA TSi TSr ]
Mar  6 11:35:57 ubuntu charon: 10[CFG] looking for peer configs matching 1.2.3.4[ubuntu.xentoo.info]...6.7.8.9[mikrotik.xentoo.info]
Mar  6 11:35:57 ubuntu charon: 10[CFG] selected peer config 'mikrotik.xentoo.info'
Mar  6 11:35:57 ubuntu charon: 10[IKE] authentication of 'mikrotik.xentoo.info' with pre-shared key successful
Mar  6 11:35:57 ubuntu charon: 10[IKE] authentication of 'ubuntu.xentoo.info' (myself) with pre-shared key
Mar  6 11:35:57 ubuntu charon: 10[IKE] IKE_SA mikrotik.xentoo.info[2] established between 1.2.3.4[ubuntu.xentoo.info]...6.7.8.9[mikrotik.xentoo.info] 

You can see the secret was loaded correctly, both endpoints were detected correctly. Then the configuration for tunnel mikrotik.xentoo.info was loaded. When a first packet was received from the Mikrotik router, the correct proposal was chosen, the the authentication using pre-shared-key succeeded and the tunnel was established.