{"id":153,"date":"2023-01-10T08:25:30","date_gmt":"2023-01-10T08:25:30","guid":{"rendered":"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/?page_id=153"},"modified":"2026-02-22T13:17:04","modified_gmt":"2026-02-22T13:17:04","slug":"ikev2-mikrotik-routeros-6","status":"publish","type":"page","link":"https:\/\/vpn.hamnet.network\/w\/ikev2-mikrotik-routeros-6\/","title":{"rendered":"IKEv2 &#8211; Mikrotik RouterOS 6 or 7"},"content":{"rendered":"\n\n\n<p><strong>For Mikrotik RouterOS 6 or 7 we provide some commands for the terminal:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We need to fetch the HamCloud VPN Server certificate.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/tool fetch url=https:\/\/vpn.hamnet.network\/cert\/hamcloud-vpn-root-ca.cer<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The HamCloud VPN Server certificate need to show up in the file list.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"396\" height=\"112\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-file-list.png\" alt=\"\" class=\"wp-image-154\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-file-list.png 396w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-file-list-300x85.png 300w\" sizes=\"auto, (max-width: 396px) 100vw, 396px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We need to import the certificate into RouterOS.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/certificate import file-name=hamcloud-vpn-root-ca.cer passphrase=\"\"<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RouterOS will report the successful import (ROS7: &#8220;files-imported&#8221; shows 0).<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"205\" height=\"77\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-certificate-import.png\" alt=\"\" class=\"wp-image-155\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We need to create an own IPsec proposal with &#8220;pfs-group = none&#8221;.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip ipsec proposal add name=hamcloud-proposal pfs-group=none<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"537\" height=\"127\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-proposal.png\" alt=\"\" class=\"wp-image-156\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-proposal.png 537w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-proposal-300x71.png 300w\" sizes=\"auto, (max-width: 537px) 100vw, 537px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We need to add this IPsec proposal to an own IPsec policy group.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip ipsec policy group add name=hamcloud-policy-group<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"164\" height=\"129\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-proposal-group.png\" alt=\"\" class=\"wp-image-157\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We need to add an IPsec policy template.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip ipsec policy add group=hamcloud-policy-group proposal=hamcloud-proposal template=yes<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"608\" height=\"129\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-policy-template-1.png\" alt=\"\" class=\"wp-image-160\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-policy-template-1.png 608w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-policy-template-1-300x64.png 300w\" sizes=\"auto, (max-width: 608px) 100vw, 608px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We need to define the mode.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip ipsec mode-config add name=hamcloud-mode-config responder=no use-responder-dns=no connection-mark=no-mark<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"469\" height=\"129\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-mode-config.png\" alt=\"\" class=\"wp-image-161\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-mode-config.png 469w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-mode-config-300x83.png 300w\" sizes=\"auto, (max-width: 469px) 100vw, 469px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We need to define the IPsec peer.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip ipsec peer add address=&#91;:resolve ikev2.vpn.hamnet.network] exchange-mode=ike2 name=hamcloud-peer<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"493\" height=\"114\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2025\/01\/mikrotik-ipsec-peer.png\" alt=\"\" class=\"wp-image-354\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2025\/01\/mikrotik-ipsec-peer.png 493w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2025\/01\/mikrotik-ipsec-peer-300x69.png 300w\" sizes=\"auto, (max-width: 493px) 100vw, 493px\" \/><figcaption class=\"wp-element-caption\">The address &#8220;ikev2.vpn.hamnet.network&#8221; resolves to a static IP<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We need to add an IPsec identity. Exchange &#8220;PASSWORD&#8221; and &#8220;USERNAME&#8221; with your IKEv2 HamCloud VPN credentials.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip ipsec identity add auth-method=eap certificate=\"\" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=hamcloud-mode-config password=PASSWORD peer=hamcloud-peer policy-template-group=hamcloud-policy-group username=USERNAME<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"820\" height=\"114\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-identity.png\" alt=\"\" class=\"wp-image-163\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-identity.png 820w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-identity-300x42.png 300w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-identity-768x107.png 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\" \/><\/figure>\n\n\n\n<p><strong>RouterOS 6 will now establish a connection to the HamCloud VPN server:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We can find the active peer.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"594\" height=\"114\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2025\/01\/mikrotik-ipsec-active-peer.png\" alt=\"\" class=\"wp-image-355\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2025\/01\/mikrotik-ipsec-active-peer.png 594w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2025\/01\/mikrotik-ipsec-active-peer-300x58.png 300w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We can find installed SAs.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"536\" height=\"129\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2025\/01\/mikrotik-ipsec-installed-sas.png\" alt=\"\" class=\"wp-image-356\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2025\/01\/mikrotik-ipsec-installed-sas.png 536w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2025\/01\/mikrotik-ipsec-installed-sas-300x72.png 300w\" sizes=\"auto, (max-width: 536px) 100vw, 536px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We can find log entries.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"672\" height=\"45\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2025\/01\/mikrotik-ipsec-log.png\" alt=\"\" class=\"wp-image-357\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2025\/01\/mikrotik-ipsec-log.png 672w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2025\/01\/mikrotik-ipsec-log-300x20.png 300w\" sizes=\"auto, (max-width: 672px) 100vw, 672px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A new IP address from the HamCloud VPN appears.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"312\" height=\"98\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-address.png\" alt=\"\" class=\"wp-image-167\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-address.png 312w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-address-300x94.png 300w\" sizes=\"auto, (max-width: 312px) 100vw, 312px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A new dynamic IPsec policy appears.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"668\" height=\"143\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-dynamic-policy.png\" alt=\"\" class=\"wp-image-168\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-dynamic-policy.png 668w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-dynamic-policy-300x64.png 300w\" sizes=\"auto, (max-width: 668px) 100vw, 668px\" \/><figcaption class=\"wp-element-caption\">The destination address is learned from the HamCloud VPN server<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A new dynamic NAT rule appears.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"347\" height=\"129\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-nat.png\" alt=\"\" class=\"wp-image-169\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-nat.png 347w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-ipsec-nat-300x112.png 300w\" sizes=\"auto, (max-width: 347px) 100vw, 347px\" \/><\/figure>\n\n\n\n<p><strong>Since the IPsec Peer &#8220;ikev2.vpn.hamnet.network&#8221; resolves only once to a static IP, we need to run periodically a script to check whether the IP has changed:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create the script.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/system script add name=hamcloud-dns-lookup source=\"{\\r\\\n    \\n  :local newIP (&#91;:resolve ikev2.vpn.hamnet.network] . \\\"\/32\\\")\\r\\\n    \\n  :local oldIP &#91;\/ip ipsec peer get &#91;\/ip ipsec peer find name=\\\"hamcloud-peer\\\"] address]\\r\\\n    \\n  :if (\\$oldIP != \\$newIP) do={ \/ip ipsec peer set &#91;\/ip ipsec peer find name=\\\"hamcloud-peer\\\"] address=\\$newIP }\\r\\\n    \\n}\\r\\\n    \\n\"\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"354\" height=\"113\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-script.png\" alt=\"\" class=\"wp-image-174\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-script.png 354w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-script-300x96.png 300w\" sizes=\"auto, (max-width: 354px) 100vw, 354px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add the script to the scheduler.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/system scheduler add name=hamcloud-sched interval=10h on-event=hamcloud-dns-lookup<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"642\" height=\"85\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/test\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-scheduler.png\" alt=\"\" class=\"wp-image-176\" srcset=\"https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-scheduler.png 642w, https:\/\/vpn.hamnet.network\/w\/wp-content\/uploads\/sites\/4\/2023\/01\/mikrotik-scheduler-300x40.png 300w\" sizes=\"auto, (max-width: 642px) 100vw, 642px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>For Mikrotik RouterOS 6 or 7 we provide some commands for the terminal: RouterOS 6 will now establish a connection to the HamCloud VPN server: Since the IPsec Peer &#8220;ikev2.vpn.hamnet.network&#8221; resolves only once to a static IP, we need to run periodically a script to check whether the IP has changed:<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-153","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/vpn.hamnet.network\/w\/wp-json\/wp\/v2\/pages\/153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vpn.hamnet.network\/w\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/vpn.hamnet.network\/w\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/vpn.hamnet.network\/w\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vpn.hamnet.network\/w\/wp-json\/wp\/v2\/comments?post=153"}],"version-history":[{"count":14,"href":"https:\/\/vpn.hamnet.network\/w\/wp-json\/wp\/v2\/pages\/153\/revisions"}],"predecessor-version":[{"id":398,"href":"https:\/\/vpn.hamnet.network\/w\/wp-json\/wp\/v2\/pages\/153\/revisions\/398"}],"wp:attachment":[{"href":"https:\/\/vpn.hamnet.network\/w\/wp-json\/wp\/v2\/media?parent=153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}