< Back

Mikrotik router tutorial with IKEv2

Follow this tutorial to configure your Mikrotik router with IKEv2 tunnel to Surfshark servers.

Please note, that you will need to have the Router OS 6.45 version at least because older versions do not have some required functions.

At first, you will need to collect some details to set up the VPN client.

Log in to the Surfshark website, click VPN -> Manual setup -> Router.

Under the Files tab, you will see the full list of Surfshark servers. You will need one server's hostname that you will find under its name (for example, al-tia.prod.surfshark.com, which is a hostname of Albania - Tirana).


Scroll down and you will find Other configuration files. Download the IKEv2 certificate.


Click the Credentials tab on top of the page and you will find credentials that you will need to use for this connection method. Write it down or keep in a quickly reachable place.


Once you collect these details, we can start with the router.

  1.  Open your router settings. You can open it by entering the IP of your router to the URL bar of your browser (or using a WinBox).


  2. Click Files then click Upload


  3. Go to the folder in which you have saved the IKEv2 certificate you have downloaded previously. Choose the IKEv2 certificate and upload it.


  4. Go to System -> Certificates


  5. Click the Import button. Open the drop-down menu on the new pop-up window and choose the uploaded IKEv2 certificate. Click Import.


    You will see the imported profile listed there.

  6. Now open a new terminal.


  7. Enter commands to create a new profile:

    /ip ipsec profile
    add name=FRBD

    We will name this new profile FRBD, because it stands for France Bordeaux, but you can choose your preferred name.


  8. Enter commands to create a new proposal:

    /ip ipsec proposal
    add name=FRBD pfs-group=none


  9. Enter commands to add the policy group:

    /ip ipsec policy group
    add name=FRBD


  10. Enter commands to create a new policy:

    /ip ipsec policy
    add dst-address= group=FRBD proposal=FRBD src-address= template=yes


  11. Enter commands to create a new config mode:

    /ip ipsec mode-config
    add name=FRBD responder=no


  12. Enter commands to add peer:

    /ip ipsec peer
    add address=fr-bod.prod.surfshark.com exchange-mode=ike2 name=FRBD profile=FRBD

    You will need to enter the name of your chosen server to the command above (fr-bod.prod.surfshark.com in this case).


  13. Now you will need to create a new identity. It is easier to do that manually than via terminal, so close the terminal and go to IP - > IPsec


  14. Open the Identity tab, click on a blue plus icon and fill the Identity windows as in the picture below.

    Here you will need to use the Surfshark service credentials that you have found on our website at the beginning of this tutorial.


    Perr: FRBD
    Auth. Method: eap
    EAP Methods: MS-CHAPv2
    Certificate: choose the imported IKEv2 certificate
    Remote Certificate: none
    Username: Surfshark service username
    Password: Surfshark service password
    Policy Template Group: FRBD
    Notrack Chain: -
    My ID Type: auto
    Remote ID Type: auto
    Match By: remote id
    Mode Configuration: FRBD
    Generate Policy: port strict

    Click Apply and OK. Close the window.

  15. Now you will need to decide what to send via VPN. You can choose to route a specific device via VPN, or all devices connected to this network.

    In order to make all devices go via VPN you will need to set the firewall for the IP range on this network. In our case, the IP range is, so if we wish all devices connected to the Mikrotik router go via the VPN tunnel, you can use this command:

    /ip firewall address-list
    add address= list=local

    Please note that the range of IP addresses will be different on your network.

    For example, let's use the internal IP address of the computer connected to this router. The IP address of this PC is

    Open the new terminal and use commands:

    /ip firewall address-list
    add address= list=local


  16. Now you will need to assign the Firewall address list to the mode config.

    Usee commands:

    /ip ipsec mode-config
    set [ find name=FRBD ] src-address-list=local


    Great, you have connected your PC to the Surfshark VPN server in Bordeaux, France.

  17. To make sure the connection was successful, open the ipleak.net  website and check if it shows the IP and DNS addresses of the Surfshark server.


    The connection was successful!

If something is not going according to the tutorial, feel free to contact our Customer Success Sharks and they will help you out!

Was this article helpful?