< Back

Mikrotik router tutorial with IKEv2

This guide will show you how to set up your Mikrotik router with the IKEv2 protocol. This way, you will be able to protect all devices connected to the router in one go.

You will learn how to:

 

To proceed, you need to have a Mikrotik router and an active Surfshark subscription. 

If you don’t have a subscription yet, you can get it here.

 

 

Find your login details

You'll need Surfshark service credentials to connect to the VPN using a manual IKEv2 configuration. Note that the Surfshark service credentials are different from your Surfshark account credentials, namely your email address and your password.



Here is how to find your Surfshark service credentials:

  1. Go to this page, where you can find all the details required for a manual connection.

    You may need to log in before proceeding to this page. In that case, enter your email address and your password, then click Log in.

  2. Click on the Credentials tab on top. You will find the Surfshark service credentials there.

    mceclip0.png

It is a good idea to keep this page open for now. You will need these credentials a bit later.

 

 

Choose a Surfshark server


Every server location has a hostname that you need to use on the router to connect to a particular server.

Please switch to the Files section to find the list of all servers and their hostnames. You will need the hostname of a VPN server. You can find the hostname below the flag icon of each location. If you wish to connect to Poland, copy the hostname for Poland - Warsaw or Poland - Gdansk servers. If you prefer connecting to Finland, copy the hostname of the Finland - Helsinki server.

Mikrotik2.png

 

Download the IKEv2 certificate

 

Mikrotik will also require an IKEv2 certificate file to connect.

  1. Scroll down the bottom of the Files page from the Choose a Surfshark server step until you see Other configuration files.

    Mikrotik3.png

  2. Click the button with an arrow pointing down on the right of the IKEv2 certificate to start downloading it.

 

You will need this file later on in the setup process, so make sure that it's on your device before you proceed.

 

Configure the IKEv2 client

 

  1. Open your router settings by entering the IP of your router to the URL bar of your browser.

    Mikrotik4.png

  2. Click Files, then click Upload.

    Mikrotik5.png

  3. Go to the folder where you have the IKEv2 certificate from the Download the IKEv2 certificate step. Select the certificate file and upload it.

    Mikrotik6.png

  4. Go to SystemCertificates.

    Mikrotik7.png

  5. Click the Import button. Open the drop-down menu on the new pop-up window and choose the IKEv2 certificate. Click Import.

    Mikrotik8.png

    You will see the imported certificate listed there.

  6. Now open a new terminal.

    Mikrotik9.png

  7. Enter the following commands to create a new profile:

    /ip ipsec profile
    add name=FRBD

    We will name this new profile FRBD because it stands for France Bordeaux, but you can use any other name.

    Mikrotik10.png

  8. Enter the following commands to create a new proposal:

    /ip ipsec proposal
    add name=FRBD pfs-group=none

    Mikrotik11.png

  9. Enter the following commands to add the policy group:

    /ip ipsec policy group
    add name=FRBD

    Mikrotik12.png

  10. Enter the following commands to create a new policy:

    /ip ipsec policy
    add dst-address=0.0.0.0/0 group=FRBD proposal=FRBD src-address=0.0.0.0/0 template=yes

     
    Mikrotik13.png

  11. Enter the following commands to create a new config mode:

    /ip ipsec mode-config
    add name=FRBD responder=no

    Mikrotik14.png

  12. Enter the following commands to add a peer:

    /ip ipsec peer
    add address=fr-bod.prod.surfshark.com exchange-mode=ike2 name=FRBD profile=FRBD

    You will need to enter the name of the location you wish to use. You selected this location during the Choose a Surfshark server step. So replace fr-bod.prod.surfshark.com with the location you wish to connect to.


    Mikrotik15.png

  13. Now you will need to create a new identity. It is easier to do this manually than via the terminal, so close the terminal and go to IP - > IPsec.

    Mikrotik16.png

  14. Open the Identity tab, click on the blue plus icon and fill in the Identity window as shown in the picture below.

    Mikrotik17.png

    Now you will need the Surfshark service credentials that you collected at the beginning of this tutorial.

    Perr: FRBD
    Auth. Method: eap
    EAP Methods: MS-CHAPv2
    Certificate: choose the IKEv2 certificate from the Download the IKEv2 certificate step.
    Remote Certificate: none
    Username: Surfshark service username from the Find your login details step.
    Password: Surfshark service password from the Find your login details step.
    Policy Template Group: FRBD
    Notrack Chain: -
    My ID Type: auto
    Remote ID Type: auto
    Match By: remote id
    Mode Configuration: FRBD
    Generate Policy: port strict

    Click Apply and OK. Close the window.


  15. Now you will need to decide what to send via the VPN. You can choose to route a specific device via the VPN or all devices connected to the network.

    To make all devices go via the VPN, you will need to set the firewall for the IP range on this network. In our case, the IP range is 192.168.10.0/24, so to make all devices connected to the Mikrotik router go via the VPN tunnel, we use the following command:

    /ip firewall address-list
    add address=192.168.10.0/24 list=local


    Please note that the range of the IP addresses will be different on your network.

    For example, let's use the internal IP address of the computer connected to this router. The IP address of this computer is 192.168.10.254

    Open the new terminal and use the following commands:


    /ip firewall address-list
    add address=192.168.10.254 list=local

    Mikrotik18.png

  16. Now you will need to assign the Firewall address list to the mode config.

    Use the following commands:

    /ip ipsec mode-config
    set [ find name=FRBD ] src-address-list=local

    Mikrotik19.png

    Great, you have connected your PC to a specific Surfshark VPN server (in our example - Bordeaux, France).


  17. To make sure the connection was successful, open the ipleak.net website and check if it shows the IP and DNS addresses of the Surfshark server.

    Mikrotik20.png

 

Congratulations - you have successfully set up your Mikrotik with the IKEv2 protocol!

 

 

If you have any further questions, our customer success team is here to help you 24/7 over live chat or email

You may also be interested in:

Was this article helpful?