MikroTik router tutorial with IKEv2 – Surfshark Customer Support

This guide will show you how to set up your Mikrotik router with the IKEv2 protocol.

To proceed, you will need a MikroTik router and an active Surfshark subscription, which you can purchase on our pricing page.

Find your login details

NOTE: Surfshark service credentials are different from your Surfshark account credentials, namely your email address and your password.

Here is how to find your Surfshark service credentials:

Go to the manual setup page, where you can find all the details required for a manual connection. You may need to log in before proceeding to this page. In that case, enter your email address and your password, then click Log in.
Click on the Credentials tab on top. You will find the Surfshark service credentials there.

NOTE: It is a good idea to keep this page open for now. You will need these credentials a bit later.

Choose a Surfshark server

Please switch to the Files section to find the list of all servers and their hostnames. You will need the hostname of a VPN server, which you can find below the flag icon of each location.

If you wish to connect to Poland, copy the hostname for Poland - Warsaw or Poland - Gdansk servers. If you prefer connecting to Finland, copy the hostname of the Finland - Helsinki server.

Download the IKEv2 certificate

NOTE: MikroTik will also require an IKEv2 certificate file to connect.

Scroll down the bottom of the Files page from the Choose a Surfshark server step until you see Other configuration files.
Click the button with an arrow pointing down on the right of the IKEv2 certificate to start downloading it. You will need this file later on in the setup process, so make sure that it's on your device before you proceed.

Configure the IKEv2 client

Open your router settings by entering the IP of your router into the URL bar of your browser.
Click Files, then click Upload.
Go to the folder where you have the IKEv2 certificate from the Download the IKEv2 certificate step. Select the certificate file and upload it.
Go to System > Certificates.
Click the Import button. Open the drop-down menu on the new pop-up window and choose the IKEv2 certificate. Click Import.

You will see the imported certificate listed there.
Now open a new terminal.
Enter the following commands to create a new profile:
```
/ip ipsec profile
```
```
add name=FRBD
```
NOTE: In this example, we will name this new profile FRBD because it stands for France Bordeaux, but you can use any other name.
Enter the following commands to create a new proposal:
```
/ip ipsec proposal
```
```
add name=FRBD pfs-group=none
```
Enter the following commands to add the policy group:
```
/ip ipsec policy group
```
```
add name=FRBD
```

Enter the following commands to create a new policy:

/ip ipsec policy

add dst-address=0.0.0.0/0 group=FRBD proposal=FRBD src-address=0.0.0.0/0 template=yes

Enter the following commands to create a new config mode:
```
/ip ipsec mode-config
```
```
add name=FRBD responder=no
```
Enter the following commands to add a peer:
```
/ip ipsec peer
```
```
add address=fr-bod.prod.surfshark.com exchange-mode=ike2 name=FRBD profile=FRBD
```
You will need to enter the name of the location you wish to use. You selected this location during the Choose a Surfshark server step. So replace fr-bod.prod.surfshark.com with the location you chose
Now, you will need to create a new identity. It is easier to do this manually than via the terminal, so close the terminal and go to IP > IPsec.

Open the Identity tab, click on the blue plus icon, and fill in the Identity window as shown in the picture below.

Now, you will need the Surfshark service credentials that you collected at the beginning of this tutorial.

Peer: FRBD
Auth. Method: eap
EAP Methods: MS-CHAPv2
Certificate: choose the IKEv2 certificate from the Download the IKEv2 certificate step.
Remote Certificate: none
Username: Surfshark service username from the Find your login details step.
Password: Surfshark service password from the Find your login details step.
Policy Template Group: FRBD
Notrack Chain: -
My ID Type: auto
Remote ID Type: auto
Match By: remote id
Mode Configuration: FRBD
Generate Policy: port strict

Click Apply and OK. Close the window.
You will need to decide what to send via the VPN. You can choose to route a specific device via the VPN or all devices connected to the network.
To route all devices via the VPN, you will need to set the firewall for the IP range on this network. In our case, the IP range is 192.168.10.0/24, so to make all devices connected to the Mikrotik router go via the VPN tunnel, we use the following command:
```
/ip firewall address-list
```
```
add address=192.168.10.0/24 list=local
```
Please note that the range of the IP addresses will be different on your network.

For example, let's use the internal IP address of the computer connected to this router. The IP address of this computer is 192.168.10.254

Open the new terminal and use the following commands:
```
/ip firewall address-list
```
```
add address=192.168.10.254 list=local
```
Now, you will need to assign the Firewall address list to the mode config.

Use the following commands:
```
/ip ipsec mode-config
```
```
set [ find name=FRBD ] src-address-list=local
```
If everything works, you have connected your PC to a specific Surfshark VPN server (in our example - Bordeaux, France).

In case you are not able to open certain websites or all websites, try adding this last command:

//ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \ protocol=tcp tcp-flags=syn

To ensure the connection was successful, open the Surfshark IP checker and check if it shows the IP and DNS addresses of the Surfshark server.