This guide will show you how to set up your Mikrotik router with the IKEv2 protocol.
You will learn how to:
- Find your login details
- Choose a Surfshark server
- Download the IKEv2 certificate
- Configure the IKEv2 client
To proceed, you need to have a Mikrotik router and an active Surfshark subscription, which you can purchase on our pricing page.
Find your login details
Note that the Surfshark service credentials are different from your Surfshark account credentials, namely your email address and your password.
Here is how to find your Surfshark service credentials:
- Go to this page, where you can find all the details required for a manual connection.
You may need to log in before proceeding to this page. In that case, enter your email address and your password, then click Log in.
- Click on the Credentials tab on top. You will find the Surfshark service credentials there.
It is a good idea to keep this page open for now. You will need these credentials a bit later.
Choose a Surfshark server
Please switch to the Files section to find the list of all servers and their hostnames. You will need the hostname of a VPN server. You can find the hostname below the flag icon of each location. If you wish to connect to Poland, copy the hostname for Poland - Warsaw or Poland - Gdansk servers. If you prefer connecting to Finland, copy the hostname of the Finland - Helsinki server.
Download the IKEv2 certificate
Mikrotik will also require an IKEv2 certificate file to connect.
- Scroll down the bottom of the Files page from the Choose a Surfshark server step until you see Other configuration files.
- Click the button with an arrow pointing down on the right of the IKEv2 certificate to start downloading it.
You will need this file later on in the setup process, so make sure that it's on your device before you proceed.
Configure the IKEv2 client
Open your router settings by entering the IP of your router to the URL bar of your browser.
Click Files, then click Upload.
Go to the folder where you have the IKEv2 certificate from the Download the IKEv2 certificate step. Select the certificate file and upload it.
Go to System > Certificates.
Click the Import button. Open the drop-down menu on the new pop-up window and choose the IKEv2 certificate. Click Import.
You will see the imported certificate listed there.
Now open a new terminal.
Enter the following commands to create a new profile:
/ip ipsec profile
We will name this new profile FRBD because it stands for France Bordeaux, but you can use any other name.
Enter the following commands to create a new proposal:
/ip ipsec proposal
add name=FRBD pfs-group=none
Enter the following commands to add the policy group:
/ip ipsec policy group
Enter the following commands to create a new policy:
/ip ipsec policy
add dst-address=0.0.0.0/0 group=FRBD proposal=FRBD src-address=0.0.0.0/0 template=yes
Enter the following commands to create a new config mode:
/ip ipsec mode-config
add name=FRBD responder=no
Enter the following commands to add a peer:
/ip ipsec peer
add address=fr-bod.prod.surfshark.com exchange-mode=ike2 name=FRBD profile=FRBD
You will need to enter the name of the location you wish to use. You selected this location during the Choose a Surfshark server step. So replace fr-bod.prod.surfshark.com with the location you wish to connect to.
- Now you will need to create a new identity. It is easier to do this manually than via the terminal, so close the terminal and go to IP - > IPsec.
Open the Identity tab, click on the blue plus icon and fill in the Identity window as shown in the picture below.
Now you will need the Surfshark service credentials that you collected at the beginning of this tutorial.
Auth. Method: eap
EAP Methods: MS-CHAPv2
Certificate: choose the IKEv2 certificate from the Download the IKEv2 certificate step.
Remote Certificate: none
Username: Surfshark service username from the Find your login details step.
Password: Surfshark service password from the Find your login details step.
Policy Template Group: FRBD
Notrack Chain: -
My ID Type: auto
Remote ID Type: auto
Match By: remote id
Mode Configuration: FRBD
Generate Policy: port strict
Click Apply and OK. Close the window.
Now you will need to decide what to send via the VPN. You can choose to route a specific device via the VPN or all devices connected to the network.
To make all devices go via the VPN, you will need to set the firewall for the IP range on this network. In our case, the IP range is 192.168.10.0/24, so to make all devices connected to the Mikrotik router go via the VPN tunnel, we use the following command:
/ip firewall address-list
add address=192.168.10.0/24 list=local
Please note that the range of the IP addresses will be different on your network.
For example, let's use the internal IP address of the computer connected to this router. The IP address of this computer is 192.168.10.254
Open the new terminal and use the following commands:
/ip firewall address-list
add address=192.168.10.254 list=local
Now you will need to assign the Firewall address list to the mode config.
Use the following commands:
/ip ipsec mode-config
set [ find name=FRBD ] src-address-list=local
Great, you have connected your PC to a specific Surfshark VPN server (in our example - Bordeaux, France).
- In case you are not able to open certain websites, or all websites, try adding this last command:
/ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \ protocol=tcp tcp-flags=syn
- To make sure the connection was successful, open the Surfshark IP checker and check if it shows the IP and DNS addresses of the Surfshark server.
Congratulations - you have successfully set up your Mikrotik with the IKEv2 protocol!
You may also be interested in: