< Back

Mikrotik router tutorial with IKEv2

Follow this tutorial to configure your Mikrotik router with IKEv2 tunnel to Surfshark servers.

Please note, that you will need to have the Router OS 6.45 version at least because older versions do not have some required functions.

At first, you will need to collect some details to set up the VPN client.

Log in to the Surfshark website, click Devices, then Manual.

 

At first, you will see the list of locations where we have our servers. You will need the domain name of one server. Let's use fr-bod.prod.surfshark.com (Bordeaux, France) server for this example.

serveraddress3.png

Scroll down and you will find Other configuration files. Download the IKEv2 certificate.

downloadcert1.png
Scroll down again - you will find credentials that you will need to use for this connection method. Write it down or keep in a quickly reachable place.

getcredentials2.png

Once you collect these items, we can start with the router.

  1.  Open your router settings. You can open it by entering the IP of your router to the URL bar of your browser (or using a WinBox).

    accessrouter4.png

  2. Click Files then click Upload

    uploadcert5.png

  3. Go to the folder in which you have saved the IKEv2 certificate you have downloaded previously. Choose the IKEv2 certificate and upload it.

    chooseikev2cert6.png

  4. Go to System -> Certificates

    importcert7.png

  5. Click the Import button. Open the drop-down menu on the new pop-up window and choose the uploaded IKEv2 certificate. Click Import.

    chooseikevcert8.png

    You will see the imported profile listed there.

  6. Now open a new terminal.

    openterminal10.png

  7. Enter commands to create a new profile:

    /ip ipsec profile
    add name=FRBD

    We will name this new profile FRBD, because it stands for France Bordeaux, but you can choose your preferred name.

    addprofile11.png

  8. Enter commands to create a new proposal:

    /ip ipsec proposal
    add name=FRBD pfs-group=none

    addproposal12.png

  9. Enter commands to add the policy group:

    /ip ipsec policy group
    add name=FRBD

    addpolicygroup13.png

  10. Enter commands to create a new policy:

    /ip ipsec policy
    add dst-address=0.0.0.0/0 group=FRBD proposal=FRBD src-address=0.0.0.0/0 template=yes

     
    addipsecpolicy14.png

  11. Enter commands to create a new config mode:

    /ip ipsec mode-config
    add name=FRBD responder=no

    addmodeconfig15.png

  12. Enter commands to add peer:

    /ip ipsec peer
    add address=fr-bod.prod.surfshark.com exchange-mode=ike2 name=FRBD profile=FRBD

    You will need to enter the name of your chosen server to the command above (fr-bod.prod.surfshark.com in this case).

    addpeer15_5.png

  13. Now you will need to create a new identity. It is easier to do that manually than via terminal, so close the terminal and go to IP - > IPsec

    closeterminal16.png

  14. Open the Identity tab, click on a blue plus icon and fill the Identity windows as in the picture below.

    Here you will need to use the Surfshark service credentials that you have found on our website at the beginning of this tutorial.

    addidentity17.png

    Perr: FRBD
    Auth. Method: eap
    EAP Methods: MS-CHAPv2
    Certificate: choose the imported IKEv2 certificate
    Remote Certificate: none
    Username: Surfshark service username
    Password: Surfshark service password
    Policy Template Group: FRBD
    Notrack Chain: -
    My ID Type: auto
    Remote ID Type: auto
    Match By: remote id
    Mode Configuration: FRBD
    Generate Policy: port strict

    Click Apply and OK. Close the window.

  15. Now you will need to decide what to send via VPN. You can choose to route a specific device via VPN, or all devices connected to this network.

    In order to make all devices go via VPN you will need to set the firewall for the IP range on this network. In our case, the IP range is 192.168.10.0/24, so if we wish all devices connected to the Mikrotik router go via the VPN tunnel, you can use this command:

    /ip firewall address-list
    add address=192.168.10.0/24 list=local


    Please note that the range of IP addresses will be different on your network.

    For example, let's use the internal IP address of the computer connected to this router. The IP address of this PC is 192.168.10.254

    Open the new terminal and use commands:

    /ip firewall address-list
    add address=192.168.10.254 list=local

    setfirewall18.png


  16. Now you will need to assign the Firewall address list to the mode config.

    Usee commands:

    /ip ipsec mode-config
    set [ find name=FRBD ] src-address-list=local

    set_modeconfig19.png


    Great, you have connected your PC to the Surfshark VPN server in Bordeaux, France.

  17. To make sure the connection was successful, open the ipleak.net  website and check if it shows the IP and DNS addresses of the Surfshark server.

    checkipleak20.png

    The connection was successful!


If something is not going according to the tutorial, feel free to contact our Customer Success Sharks and they will help you out!

Was this article helpful?